This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Narimankz15
Explorer
‎2024-04-06 09:48 AM

Site-to-Site VPN Route All Traffic Through Central Check Point

Hello everybody!
We have such a problem: We want to raise a tunnel between the central office and branches, there are Checkpoints everywhere. The task is this: all traffic, including the Internet, must go through the central Checkpoint. Can you tell me how to set it up? if it is "Domain-based" then what should I specify in the domains? maybe in the "VPN routing" tab, what should I choose? or should I use a "routing-based VPN"? All checkpoints will be managed through a single cloud management. Thanks in advance!

0 Kudos
2 Replies
the_rock
Legend
Legend
‎2024-04-07 03:50 PM

I dont believe it matters if its domain or route based, thats just type of tunnel. There is a setting in vpn community, default one is to center only, but you can choose the 3rd one, that would probably work in this case, or second one if traffic does not need to reach the Internet through the center gateway.

Best,

Andy

0 Kudos
AmirArama
Employee
Employee
‎2024-04-11 09:00 AM

you need to select the 3rd option with vpn routing tab in the community.

it will create vpn routing on your satellites GWs to have all subnets not explicitly defined with other vpn targets to go via the center.

be aware that it will have an impact. the satellites GWs will expect to get all the traffic from any address to come encrypted. hence even if you try to open ssh from internet to the GW it will be dropped by "clear text packet should be encrypted".

you can overcome it with "excluded services" in the community -> applied to all community, or by crypt.def file for specific exclusions, or by selecting "Exclude gateway external ip address from the VPN domain" in gw object > network mgmt > vpn domain. (only exist in GAIA)

it will also affect the GW communication itself to the internet, so if you manage your GWs with Smart-1 cloud for example the internet from GW will go via the tunnel. again you can use one of the above (most suitable is crypt.def for this)

Thanks

if it's route based VPN you will need to have route or PBR that routes default towards this VTI

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events