CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 2 of 2

Thread: Firewall Control Connections (i.e. SIC) in VPN Communities

  1. #1
    Join Date
    Rep Power

    Default Firewall Control Connections (i.e. SIC) in VPN Communities

    I am currently setting up a proof of concept within the Microsoft Azure cloud, I have a Virtual firewall within the cloud.
    I have configured the VPN and the endpoints are on my site a CP4800 and at the remote end I have used the Azure endpoint. The VPN works as expected, I decided to try and use a virtual firewall in conjunction with Microsoft NSG's (Nework security groups). I have tried to establish management (SIC) of the remote Virtual Firewall.

    The results I see are the firewall control connections leaving my external FW unencrypted and then the sic communication fails. I tried a manual rule to encrypt the traffic but the connection never hit the rule I added my self to the manual rule and I got a positive response from the remote FW when telneting on port 18191 and 18208 (i also see an encrypted connection leaving my firewall.

    So my question is is it possible to disable the implied rules for one VPN community if not is there a resource anyone knows of which details; 1) how best to disable the implied Accept Control Connections and manually recreate them, 2)the inherent risks of such action.

    Be gentle!

    Cheers Damien.

  2. #2
    Join Date
    Rep Power

    Default Re: Firewall Control Connections (i.e. SIC) in VPN Communities

    The Control Connections as Implied Rules are a Global Property so would be enabled / disabled for All Firewalls.
    They are added as Implied Rules at the Top of the Policy so they are "hit" before manual rules.

    Use the View / Implied Rules to see the rules that are created.

    How about

    1.) Remove the VPN Tunnel to the Azure VPN Gateway
    2.) Publish the Check Point Firewall to the Internet in Azure
    3.) Establish VPN with the Check Point Gateway in Azure

    That way you aren't trying to manage a Check Point Gateway over a VPN and the Implied Rules are no longer an issue. Remember to use the crypt.def file to say don't encrypt traffic to the Check Point IP in the Azure Cloud

Similar Threads

  1. Replies: 6
    Last Post: 2015-02-05, 08:34
  2. Established connections in firewall acl
    By vladimir.akimov in forum Firewall Blade
    Replies: 2
    Last Post: 2013-09-30, 05:27
  3. Replies: 2
    Last Post: 2008-05-26, 06:53
  4. Replies: 16
    Last Post: 2008-01-04, 07:26
  5. Managing VPN without VPN-1 Pro/Express Control Connections
    By Yasushi Kono in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 5
    Last Post: 2006-11-21, 05:49

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts