AnsweredAssumed Answered

Remote Access and Site-to-Site VPN access restriction

Question asked by Di Junior on Nov 17, 2018
Latest reply on Nov 18, 2018 by Aleksei Shelepov

Like • Show 0 Likes0
Comment • 10

Dear Mates

I have currently migrated our VPN solution to Check Point. However, I have been experiencing some issues when it comes to restricting access to specific machines.

For example, if I set the VPN domain on the Gateway to 10.10.0.0/24 which is a network behind the gateway. And then create a firewall policy for remote users to access only 10.10.0.20/32, the remote users are also being able to access other hosts in 10.10.0.0/24 network like 10.10.0.22/32 , even if I only use a single host as a destination.

In the figure above, the RemoteAcess-users, are also being able to access other machines on the defined VPN domain apart from GUI-A.

Does this mean that remote users can access any machine in the VPN domain?

Any ideas on how this issue could be resolved, in such a way remote users only access the machines defined in the Destination field of the Firewall Policy?

Site-to-Site VPN

The same behavior is happening in site-to-site VPN, I only specified on host in the source, but other host can also access the remote machines even if they are not specified as source.

Thanks in advance

No one else has this question

Outcomes

Jozko Mrkvicka Nov 17, 2018 10:59 PM

1. Please check logs and find out which firewall rule is allowing such traffic (if all rules have enabled logging).

2. Send us screenshot of "GUI-A" and "GUI-B" hosts.

3. Check NAT rules if there are any.

Actions

Di Junior @ Jozko Mrkvicka on Nov 17, 2018 11:09 PM

Hi there

There is only one rule. And when such communication happen, I don't see the logs in SmartView tracker. I'm starting to wondering if it's not an implicit rule.

Thanks

Actions

Jozko Mrkvicka @ Di Junior on Nov 17, 2018 11:16 PM

Hi,

In this case try to enable logging of Implied rules from Global Settings and install the database (of course firewall itself).

Stupid question, but it happened to me few times - are you checking the correct gateway ? Try to do tcpdump to confirm that you see some traffic during test, and issue "fw stat" to find which policy package is used for this cluster.

1 person found this helpful

Actions

Di Junior @ Jozko Mrkvicka on Nov 18, 2018 12:09 AM

Hi Jozko Mrkvicka

The traffic seems to be accepted by an implied rule (see the figure below). The question is, where can i find the implied rule number 0? is it the first one in the implicit rules (File->View->implied rules)?

Thanks

Actions

Jozko Mrkvicka @ Di Junior on Nov 18, 2018 1:05 AM

Isnt IP 10.10.1.3 one of cluster members? Is this IP part of Topology ?

usually traffic going from cluster members is going via Implied Rules.

Also, try some real traffic, like ssh or https, not ping.

Actions

Di Junior @ Jozko Mrkvicka on Nov 18, 2018 1:34 AM

its not a cluster. I am using two separated gateways.

10.10.1.3 is a host which is part of the topology of the remote peer.

Actions

Jozko Mrkvicka @ Di Junior on Nov 18, 2018 1:45 AM

10.10.1.3 must be included only in local VPN encryption domain of SGW-B (also part of Topology).

10.10.0.10 must be included only in remote VPN encryption domain of VPN-PEER.

1 person found this helpful

Actions

Di Junior @ Jozko Mrkvicka on Nov 18, 2018 1:56 AM

Hi Jozko Mrkvicka

You were right.

I enabled Web services on the 10.10.0.10, and I tried to access it using http from a remote client and access was not granted. I tried to ping it, it worked.

I guess this issue is only related to Ping.

Why is that ping is accepted by the implied rule even if the destination is not specified in the firewall policy?

Thanks

Actions

Jozko Mrkvicka @ Di Junior on Nov 18, 2018 5:09 AM

Hi Di Junior,

Please check if you have Accept ICMP requests enabled, or not. These are the default settings for all implied rules:

1 person found this helpful

Actions

Aleksei Shelepov Nov 18, 2018 9:27 AM

0 - Implied rules - it represents all of implied rules, you would need to check Global properties or Implied rules themselves to understand which setting exactly allows this traffic. But usually it's not difficult to determine.

I would like to point to another possibility, which is not your case obviously, but just worth mentioning.

Accept all encrypted traffic option might be enabled in comunity properties.

Which will result in the following rule, which is visible in policy by default (not like implied rules).

3 people found this helpful

Actions

10 Replies

Jozko Mrkvicka Nov 17, 2018 10:59 PM
Mark Correct
Correct Answer
1. Please check logs and find out which firewall rule is allowing such traffic (if all rules have enabled logging).

2. Send us screenshot of "GUI-A" and "GUI-B" hosts.

3. Check NAT rules if there are any.
Like • Show 0 Likes0
Actions
- Di Junior @ Jozko Mrkvicka on Nov 17, 2018 11:09 PM
  Mark Correct
  Correct Answer
  Hi there
  
  There is only one rule. And when such communication happen, I don't see the logs in SmartView tracker. I'm starting to wondering if it's not an implicit rule.
  
  Thanks
  Like • Show 0 Likes0
  Actions
  - Jozko Mrkvicka @ Di Junior on Nov 17, 2018 11:16 PM
    Mark Correct
    Correct Answer
    Hi,
    In this case try to enable logging of Implied rules from Global Settings and install the database (of course firewall itself).
    
    Stupid question, but it happened to me few times - are you checking the correct gateway ? Try to do tcpdump to confirm that you see some traffic during test, and issue "fw stat" to find which policy package is used for this cluster.
    1 person found this helpful
    Like • Show 1 Like1
    Actions
    - Di Junior @ Jozko Mrkvicka on Nov 18, 2018 12:09 AM
      Mark Correct
      Correct Answer
      Hi Jozko Mrkvicka
      
      The traffic seems to be accepted by an implied rule (see the figure below). The question is, where can i find the implied rule number 0? is it the first one in the implicit rules (File->View->implied rules)?
      
      Thanks
      Like • Show 0 Likes0
      Actions
      - Jozko Mrkvicka @ Di Junior on Nov 18, 2018 1:05 AM
        Mark Correct
        Correct Answer
        Isnt IP 10.10.1.3 one of cluster members? Is this IP part of Topology ?
        usually traffic going from cluster members is going via Implied Rules.
        Also, try some real traffic, like ssh or https, not ping.
        Like • Show 0 Likes0
        Actions
        Di Junior @ Jozko Mrkvicka on Nov 18, 2018 1:34 AM
        Mark Correct
        Correct Answer
        its not a cluster. I am using two separated gateways.
        10.10.1.3 is a host which is part of the topology of the remote peer.
        Like • Show 0 Likes0
        Actions
        Jozko Mrkvicka @ Di Junior on Nov 18, 2018 1:45 AM
        Mark Correct
        Correct Answer
        10.10.1.3 must be included only in local VPN encryption domain of SGW-B (also part of Topology).
        10.10.0.10 must be included only in remote VPN encryption domain of VPN-PEER.
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
        Di Junior @ Jozko Mrkvicka on Nov 18, 2018 1:56 AM
        Mark Correct
        Correct Answer
        Hi Jozko Mrkvicka
        
        You were right.
        I enabled Web services on the 10.10.0.10, and I tried to access it using http from a remote client and access was not granted. I tried to ping it, it worked.
        I guess this issue is only related to Ping.
        Why is that ping is accepted by the implied rule even if the destination is not specified in the firewall policy?
        Thanks
        Like • Show 0 Likes0
        Actions
        Jozko Mrkvicka @ Di Junior on Nov 18, 2018 5:09 AM
        Mark Correct
        Correct Answer
        Hi Di Junior,
        
        Please check if you have Accept ICMP requests enabled, or not. These are the default settings for all implied rules:
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
Aleksei Shelepov Nov 18, 2018 9:27 AM
Mark Correct
Correct Answer
0 - Implied rules - it represents all of implied rules, you would need to check Global properties or Implied rules themselves to understand which setting exactly allows this traffic. But usually it's not difficult to determine.

I would like to point to another possibility, which is not your case obviously, but just worth mentioning.
Accept all encrypted traffic option might be enabled in comunity properties.

Which will result in the following rule, which is visible in policy by default (not like implied rules).
3 people found this helpful
Like • Show 1 Like1
Actions

Remote Access and Site-to-Site VPN access restriction

Outcomes

Related Content

Recommended Content