This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Blason_R
Leader
Leader
‎2023-07-13 12:46 AM
Jump to solution

Harmony Connect Corporate DNS Scenario is not working in RA mode

Hi Team,

I am trying to demonstrate a below scenario with Harmony RA. I have setup my DC as 10.10.144.0/24. Customer would like to route the DNS traffic only to internal DNS server since they have secure DNS resolver. They would not want to use IA or any other applications at this moment.

Have setup two machines 10.10.144.4 as my Harmony connector and installed the docker and followed the procedure

Then customer has a secure DNS resolver 10.10.144.2.

Configured local user on Harmony portal and setup the Network access policy.

However my queries to corporate DNS server is not working. I wanted all my DNS queries should be sent to 10.10.144.2.

Here is my setup and configuration. Am I missing anything here? and have below queries 

  1. Since this is Cloud setup - I need to open firewall ports between 10.10.144.4 and 10.10.144.2.
  2. Do I really need to do that?
  3. What IP addresses or network is being used by Harmony connect to allow in cloud?
  4. Will that traffic will be tunneled as well to reach to private IP address? Or it will be sent to Public IP address of Secure Resolver?

 

TIA

Blason R

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
Preview file
44 KB
Preview file
70 KB
0 Kudos
1 Solution

Accepted Solutions
Blason_R
Leader
Leader
‎2023-07-25 11:48 AM
In response to Blason_R
Jump to solution

Finally the issue is resolved and really appreciate the help from @Andy_P for his extensive help. Much thankful to him.

The issue was - in my cloud whenever I was spinning vms it used to get two nics one with Public IP and another with my VPC.

Now when I start docker it used to get start on eth0 since it has a default gateway pointed to internet; even I started running on eth1 but docker was not coming up and it always used to show tunnel was not up.

However it used to come up properly with eth0; now since tunnel is established with Public IP it was not able to route the traffic for internal IP. Even I setup ip_forward, added iptables with masquerade but in vain.

Finally here is what I did -

Lets assume I have spin two vms VMA (Connector VM) and VMB (BIND/Named VM) with IP schema

VMA 
eth0 : 1.2.3.4
eth1: 10.10.144.4

VMB
eth0 : 5.6.7.8
eth1: 10.10.144.2

So I first deleted default route from VMA which is connector VM (of course this is done by connecting to internal IP from VMB)

Added default route through netplan and pointed to VMB {0.0.0.0/0 NH 10.10.144.2}

Enabled ip_forward on VMB

Added iptables masquerade on VM

iptables -t NAT -A POSTROUTING -s 10.10.144.0/24 -o eth0 -j MASQUERADE

That was my connector vm started routing through eth1 and to internet through VMB. Then I deleted the docker image and re-run on eth1 on VMB.

That finally worked with this. Again there is no need to deploy rule in network Access policy as I did not want any one to connect my DNS Server on port 22.

My Corporate DNS server was set to 10.10.144.2

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

0 Kudos
(1)
16 Replies
Blason_R
Leader
Leader
‎2023-07-13 09:35 AM
Jump to solution

Hey Folks any help is here? I have been working on this troubleshooting but dang; dns queries are not passing through the tunnel to my secure resolver.

@Chris_Atkinson @G_W_Albrecht - Can you guys tag any one from Harmony team? Or involve them? I would really appreciate that

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-14 03:36 AM
In response to Blason_R
Jump to solution

How is your Network Access policy defined?

Connectivity Mode = Network Access only?

What networks are configured in your Bypass Destinations?

Does the connector monitoring report that it is online?

 

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader
‎2023-07-14 09:15 PM
In response to Chris_Atkinson
Jump to solution

Hi There,

Here are my responses - 

Access to given as source Any and destination to Network 10.10.144.0/24 to service any

Connectivity mode - Network Yes

I removed 10.0.0.0/8 from Bypass destinations

And yes connector reports online.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Blason_R
Leader
Leader
‎2023-07-21 02:50 AM
In response to Blason_R
Jump to solution

Unfortunately I am still not getting any response neither my scenario works!! Can somone pls help?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-21 03:19 AM
In response to Blason_R
Jump to solution

What does the routing tables on the client look like when HC is connected, have you investigated the other end with tcpdump or similar?

Are you in contact with your local SE about this?

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader
‎2023-07-21 03:27 AM
In response to Chris_Atkinson
Jump to solution

The routing table absolutely looks fine and the routes are present for my encryption domain. Those appears in my desktop routing table. I tried capturing packets but I dont see those packets.

 I mean none of access works not SSH or DNS as well.

Yes I tried connecting to local SE but does not look like of much help. I myself have done the extensive troubleshooting and went through so many logs but does not look like SE will be able to help me. May be SME from Harmony connect can help?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-21 03:43 AM
In response to Blason_R
Jump to solution

In general your SE should be able to connect you with the relevant support teams / resources.

Is the result the same if you try a different source machine or any potential conflicts there in terms of other security software that might be installed? 

Will reach out internally to see who can assist further.

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader
‎2023-07-21 06:59 AM
In response to Chris_Atkinson
Jump to solution

Sure Thanks - Let me see and try reaching out to local SE

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Andy_P
Employee
Employee
‎2023-07-23 12:45 AM
Jump to solution

Hi @Chris_Atkinson  Please contact me offline to take a look.

0 Kudos
ICSI
Collaborator
‎2023-07-23 10:10 PM
Jump to solution

1 Harmony Connect / Assets / Branches & Data Centers / click on the (I) symbol and have you enable your internal network here?

Internal Sub-Networks 10.10.144.0/24 for example. 

Harmony Connect  / Settings / Connectivity Mode : At least do you have Corporate Access Network Access enabled?

3  Harmony Connect / Settings / Harmony Connect Agent / Do you have it disabled when being inside the Corporate Office? I do and I defined a couple of IPs that confirm I am inside.

4  Harmony Connect / Settings / Corporate DNS Servers: You should be able to ping this IP from the Harmony Connect machine. I am using a Virtual Machine and I had problems when sharing the same IP, it was a small mistake. Turned to NAT and I let the VM to have its own IP.

5 Check the FW/ IPtables. I had problems with this as well.

6 and probable this should be the FIRST STEP! Are you using Ubuntu 22.04 SERVER edition? If not, please start over and use ONLY Ubuntu Server, otherwise you will have n kind of problems, as I did.

G’Luck!

Regards,

Oscar Catana
https://ipthub.com

Cyber Sec Passionate!
0 Kudos
Blason_R
Leader
Leader
‎2023-07-23 10:43 PM
In response to ICSI
Jump to solution

Here are my responses -

 

1. YES

2. YES Network Connectivity

3. Nope - I dont need to since all the time I wanted my corporate DNS to be used since corporate or secure DNS to resolve the DNS queries.

4. Nope I am not able to PING

5. IPtables and all firewall is off. Checked 1000 times 🙂

6. Even I tried with 20.04 but the same thing.

 

Any thing else that you would want me to try?

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
_Val_
Admin
Admin
‎2023-07-24 12:24 AM
In response to Blason_R
Jump to solution

Maybe it's a good time to consider a TAC case: https://help.checkpoint.com

0 Kudos
Andy_P
Employee
Employee
‎2023-07-24 01:10 AM
In response to Blason_R
Jump to solution

 

Hi.

Please check that you don't have network 10.0.0.0/8 in bypass configuration for HC agent. See screenshot attached. 

Harmony Connect App > setting > Harmony Connect agent > Bypass destinations.

You should also have DNS traffic allowed in Network Access  policy

 

Preview file
35 KB
0 Kudos
Blason_R
Leader
Leader
‎2023-07-24 09:14 PM
In response to Andy_P
Jump to solution

Well I am inching towards resolution - so far I was able to connect to internal servers but I am still unable to forward the queries. Will share the entire solution once I am done.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Blason_R
Leader
Leader
‎2023-07-25 11:48 AM
In response to Blason_R
Jump to solution

Finally the issue is resolved and really appreciate the help from @Andy_P for his extensive help. Much thankful to him.

The issue was - in my cloud whenever I was spinning vms it used to get two nics one with Public IP and another with my VPC.

Now when I start docker it used to get start on eth0 since it has a default gateway pointed to internet; even I started running on eth1 but docker was not coming up and it always used to show tunnel was not up.

However it used to come up properly with eth0; now since tunnel is established with Public IP it was not able to route the traffic for internal IP. Even I setup ip_forward, added iptables with masquerade but in vain.

Finally here is what I did -

Lets assume I have spin two vms VMA (Connector VM) and VMB (BIND/Named VM) with IP schema

VMA 
eth0 : 1.2.3.4
eth1: 10.10.144.4

VMB
eth0 : 5.6.7.8
eth1: 10.10.144.2

So I first deleted default route from VMA which is connector VM (of course this is done by connecting to internal IP from VMB)

Added default route through netplan and pointed to VMB {0.0.0.0/0 NH 10.10.144.2}

Enabled ip_forward on VMB

Added iptables masquerade on VM

iptables -t NAT -A POSTROUTING -s 10.10.144.0/24 -o eth0 -j MASQUERADE

That was my connector vm started routing through eth1 and to internet through VMB. Then I deleted the docker image and re-run on eth1 on VMB.

That finally worked with this. Again there is no need to deploy rule in network Access policy as I did not want any one to connect my DNS Server on port 22.

My Corporate DNS server was set to 10.10.144.2

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
(1)
ICSI
Collaborator
‎2023-07-25 01:20 PM
In response to Blason_R
Jump to solution

that was a really good solution! thanks for sharing. NOW WE KNOW! 

Regards,

Oscar Catana
https://ipthub.com

Cyber Sec Passionate!
0 Kudos
Upcoming Events

    CheckMates Events