This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oliver_222
Participant
‎2022-09-27 02:47 AM

Routing table when connected to SNX in Network Mode Only

We are trying to switch to Unified Access Policy.
When connecting to SNX in Network Mode Only, third party users, lose their local network. 
A lot of routes are prescribed on the PC. 
There are no routing problems when working with Legacy Policy, but when switching to UAP, there is a route to two subnets with the gateway specified from the IP Pool of Issued Addresses.
Can you tell me why these routes are created? Maybe we missed something when configuring Unified Access Policy?

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-09-27 09:36 AM

Are the networks in question included in the encryption domain?

0 Kudos
Oliver_222
Participant
‎2022-09-28 12:33 AM
In response to PhoneBoy

No. Clients are connected via Mobile Access to SNX.
And once connected, they lose their local network.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-09-29 07:15 AM
In response to Oliver_222

Are you saying no because:

  • The networks aren't in the encryption domain (you've checked and confirmed this)
  • You believe the encryption domain doesn't apply because you're using MAB and SNX

Whether it's one of the regular Remote Access clients or SNX in Network Mode, the routes received by the client will match what is configured in the Remote Access Encryption Domain.
This may not be the case in legacy mode, but in Unified Access Policy mode, this is definitely the case.

 

0 Kudos
Oliver_222
Participant
‎2022-10-03 12:55 AM
In response to PhoneBoy

That is, in order to ensure that users do not lose their local network, network must be added to the remote access encryption domain in the gateway settings?  

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-03 09:30 AM
In response to Oliver_222

The routes injected to the remote access clients should match the Remote Access Encryption Domain settings.
It therefore must be removed, not added.

0 Kudos
Oliver_222
Participant
‎2022-10-14 02:24 AM
In response to PhoneBoy

In the encryption domain we have the internal subnets 192.168.0.0 and 172.16.0.0.
If we select "All IP Addresses behind Cluster Members based on Topology information" these subnets will also be in the encryption domain.
Do you mean use the encryption domain without any subnets?
Or should we add the subnets to the exception in "Set Specific VPN Domain for Gateway Communities", just like in sk167000?

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-14 10:18 AM
In response to Oliver_222

You need to modify the encryption domain so the subnets you don't want to inject to your remote clients are not included in the definition.
The approach mentioned in sk167000 should work for this case, though you don't necessarily need to use "any" here.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events