CPMI not being encrypted by VPN

[Brittin_C]

Hi.

I have a VPN from my home office to my data center. My data center has the SmartCenter box and the CP firewalls provide access to the DC via VPN.

I have a problem in that with the VPN connected I cannot with SmartDashboard over the VPN to the SmartCenter server.

I CAN use RDP to get a desktop connection on the SmartCenter server and then run SmartDashboard locally.

SmartTracker shows the CPMI connection between the two, but doesnt show it as a decrypt...

Any ideas why?


Additional facts:
- My remote IP is in the SmartCenter IP list
- My laptop can connect when I am in the data center on a local IP
- When on the VPN, the rule which shows CPMI as passing is an implied rule, not the VPN rule

[Thorpuse]

The answer's right there - implied rules do not get IPSEC encrypted. This is one of those little Check Point annoyances.

Easiest fix is to use RDP, or to tunnel the CPMI connection via SSH port forwarding. If you're feeling brave, you can try modifying the .def files for implied rules, but I don't recommend ths unless there's no easier option.

[BarryStiefel]

Quote:

Originally Posted by Brittin_C

Hi.

I have a VPN from my home office to my data center. My data center has the SmartCenter box and the CP firewalls provide access to the DC via VPN.

I have a problem in that with the VPN connected I cannot with SmartDashboard over the VPN to the SmartCenter server.

I CAN use RDP to get a desktop connection on the SmartCenter server and then run SmartDashboard locally.

SmartTracker shows the CPMI connection between the two, but doesnt show it as a decrypt...

Any ideas why?


Additional facts:
- My remote IP is in the SmartCenter IP list
- My laptop can connect when I am in the data center on a local IP
- When on the VPN, the rule which shows CPMI as passing is an implied rule, not the VPN rule

Are you sure it really needs to go through a VPN tunnel? CPMI is already encrypted with SSL using certificates. Sure, it would be nice to hide the port numbers, etc., but SIC communications are already in their own "VPN".

[Routerkid1]

Please do the following on the community that includes the smart center you need to add the implied rule's for cpmi to the excluded services box. You can figure out what services you need to add by viewing the implied rules on dashboard by clicking view implied rules, You can not manage a box by default through a vpn. The comm has a 128 bit ssl cert anyway . Try that and let me know if that works for you..

[Brittin_C]

Okay, I think I get what everyone is saying. Two things:

1. I can use RDP to get to the data center and manage the existing firewalls, no problem.

2. When I build up another firewall at a different location, will i have the same problem connecting OUT my firewall to another firewall on the internet?

Thanks for all the help, ya'all are great.

[Routerkid1]

no providing they are in the same community and you excluded the cpmi services from the vpn.


If you intend on managing a firewall through a vpn then exclude the services.