PDA

View Full Version : Choking on VPN Rule



amani
2010-12-07, 11:17
We were deploying our first SG80 firewall. We established SIC, pushed policy when received the following error message:

VPN Support Group Access: Security Policy cannot be installed because Client, Session or User Authenication is not supported on a Check Point Security Gateway 80 series.

We disabled the VPN user in question, and received a new error message:

Fail to execute policy commit function

What was CP thinking by not supporting Client, Session, or User Authentication?

Does anybody have any suggestions? I have my CP consultant with me, and we're still investigating the issue.

amani
2010-12-08, 11:37
Yesterday was our first deployment of the SG80 appliance. It was replacing an OpenServer running R65.

As an update, we resolved the error: Fail to execute policy commit function.

We discovered that if we disabled the IPS on the SG80 appliance and disabled the VPN rule, we were able to push a policy.

Next, on the SmartCenter, we downloaded the latest IPS definitions and pushed them out to the SG80 appliance. We re-enabled IPS and were able to push policy.

Another strange behavior involves RPC enforcement. See http://www.cpug.org/forums/services/14799-dce-rpc-enforcement-violation-uuid-not-allowed-through-rule-base.html.

I verified twice, yesterday and again this morning, that the assigned IPS Profile was set to Recommended_Protection. I pushed policy again, and after some testing see the RPC traffic still being blocked by the SG80 appliance. What makes this odd is that the OpenServer in HQ running R71 doesn't show the same behavior (i.e., it's not blocking RPC traffic).

I'm scratching my head on this. Unfortunately, with RPC, you can't create an Exception.

Aside from RPC and the VPN, it was a smooth installation.