This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dr_Steve_Brule
Participant
‎2022-09-02 06:27 AM
Jump to solution

Sourcing SMB services from internal interface - ICMP, NTP, DNS to send over VPN

Hi all,

I have a couple of SMB 1500 devices setup for various home users.  We set these devices up with the ability to sit on their private network at home so the appliance is setup as a DAIP gateway with a private DHCP address from their home network on the WAN interface of the SMB (did this to make it easy on the end use so they can just plug in the device at home and flexibility to move the device around).

Once they get plugged in, IPSEC VPN is configured and it will create a tunnel to the main site and have connectivity.

One limitation I found on the appliance itself - I'd like to send services such as DNS, NTP, ICMP from the appliance itself down the tunnel using the LAN IP of the appliance instead of the WAN IP.  Currently, those requests are trying to be sent down the tunnel using the WAN IP which could be any private IP on the home user's network.  I don't want to define the user's home networks as part of the encryption domain so if there is some kind of workaround to use the SMB's LAN IP to send those requests, that'd be great.  Any ideas on this?

0 Kudos
1 Solution

Accepted Solutions
Dr_Steve_Brule
Participant
‎2022-09-02 11:55 AM
Jump to solution

Found it - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Centrally Managed Solution:

Firmware R77.20.80 and higher (SMB-4577) adds the same functionality for Centrally Managed Devices.

In order to enable the feature a kernel parameter should be used - fw ctl set int fw_enc_conns_use_internal 1

View solution in original post

5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-09-02 09:10 AM
Jump to solution

In Advanced Settings search for "source" and you should find applicable options to assist i.e.

"Use internal IP address for encrypted connections from local gateway"

CCSM R77/R80/ELITE
0 Kudos
CaseyB
Advisor
‎2022-09-02 09:49 AM
In response to Chris_Atkinson
Jump to solution

Is there something similar for the 1430s? Searching for similar terms in Advanced Settings is telling me no.

0 Kudos
Dr_Steve_Brule
Participant
‎2022-09-02 11:35 AM
In response to CaseyB
Jump to solution

CaseyB - See my reply to Chris above.  Mine is centrally managed...may be a difference between centrally and locally managed gateways...

0 Kudos
Dr_Steve_Brule
Participant
‎2022-09-02 11:34 AM
In response to Chris_Atkinson
Jump to solution

Forgot to mention - this is a centrally managed gateway.  Per https://community.checkpoint.com/t5/SMB-Gateways-Spark/R80-20-15-Locally-Managed-Advanced-Settings/t... it looks like "VPN Site to Site global settings - Use internal IP address for encrypted connections from local gateway" is a valid option for locally managed SMBs.  Hoping there may be something in GUIDBEdit for centrally managed...

0 Kudos
Dr_Steve_Brule
Participant
‎2022-09-02 11:55 AM
Jump to solution

Found it - https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Centrally Managed Solution:

Firmware R77.20.80 and higher (SMB-4577) adds the same functionality for Centrally Managed Devices.

In order to enable the feature a kernel parameter should be used - fw ctl set int fw_enc_conns_use_internal 1

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events