CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


 

Results 1 to 18 of 18

Thread: Managemnt Server sits behind NAT -SIC issues

Hybrid View

  1. #1
    Join Date
    2014-10-27
    Posts
    125
    Rep Power
    3

    Default Managemnt Server sits behind NAT -SIC issues

    Hi All,

    I have a management Server with a private IP address and it sits behind a firewall and is NAT'ed to a static public IP.

    It is then trying to establish SIC with a gateway(gateway has public IP) sitting on the internet.

    I have read that the SIC certifcate uses IP address, which means the gateway on the internet is expecting the public IP address in the SIC cert, but instead there is a private IP. what is the work around for this issue ?

    any suggestions would be welcome.

    Thanks
    B

    Happy New Year :-)
    Bhav

  2. #2
    Join Date
    2006-09-26
    Posts
    2,736
    Rep Power
    13

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Quote Originally Posted by bhavinjbhatt View Post
    Hi All,

    I have a management Server with a private IP address and it sits behind a firewall and is NAT'ed to a static public IP.

    It is then trying to establish SIC with a gateway(gateway has public IP) sitting on the internet.

    I have read that the SIC certifcate uses IP address, which means the gateway on the internet is expecting the public IP address in the SIC cert, but instead there is a private IP. what is the work around for this issue ?

    any suggestions would be welcome.

    Thanks
    B

    Happy New Year :-)
    This is a well "known" issue since Checkpoint with AI R55.

    On the Management server, there is a check box that you can enable to say that the management is behind a checkpoint firewall so that it will allow you to SIC with a gateway on the Internet. This is a work-around since R55.

    Keep in mind that it will ONLY works with if the Management server is behind a "checkpoint" firewall trying to establish SIC with another checkpoint gateway over the Internet.

    It will NOT work if the Management server is behind a "non" checkpoint gateways such as Cisco ASA, Juniper or PaloAlto. In that situation, you can NOT use NAT, it has to be routed.

    Hope that answers your question.

  3. #3
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Are you using automatic NAT? As long as you define the public IP in the NAT settings of the SMS object itself (rather than manually in NAT policy), and select "Apply for Security Gateway control connections", you should be all set. This handles both how the SMS presents itself to the remote gateway, and allows the communications to reach the gateway via Control Connections (implied rules).

    -E

  4. #4
    Join Date
    2014-10-27
    Posts
    125
    Rep Power
    3

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Thanks Gents, i will test the suggestions and come back to you.

    My assumption was that something needed to be done in the masters file and a few changes via GUIdbEdit...but this is easier.

    I will post an update with whatever works.

    Thanks again.
    B
    Bhav

  5. #5
    Join Date
    2006-09-26
    Posts
    2,736
    Rep Power
    13

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Quote Originally Posted by bhavinjbhatt View Post
    Thanks Gents, i will test the suggestions and come back to you.

    My assumption was that something needed to be done in the masters file and a few changes via GUIdbEdit...but this is easier.

    I will post an update with whatever works.

    Thanks again.
    B
    This is what he is referring to. Remember, it only works with Checkpoint firewalls. If your management server is behind non-checkpoint device, it will NOT work with NAT and you will have to use routing method.

    Click image for larger version. 

Name:	management_server_NAT.jpg 
Views:	22 
Size:	22.4 KB 
ID:	1184

  6. #6
    Join Date
    2014-09-02
    Posts
    212
    Rep Power
    10

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Quote Originally Posted by cciesec2006 View Post
    Remember, it only works with Checkpoint firewalls. If your management server is behind non-checkpoint device, it will NOT work with NAT and you will have to use routing method.[/ATTACH]
    I don't see why not. As long as you've accounted for the same two concerns, you can do this through any device.

    • - Make sure the local firewall is NATing the SMS correctly and allowing the necessary services out
    • - Make sure the remote GW will accept the control connections from the NATed address

      ^ Second item is the tricky part, and the one most likely to cause problems. In my suggestion above, this is handled by the fact that the SMS object contains both private and public IP addresses in its definition. If we don't define the Static NAT on the SMS object, then the implied rules on the remote gateway won't recognize the address and the Stealth rule should drop the management traffic (it will also incorrectly try to deliver logs to the internal address).

      This is where mcnallym's suggestion comes into play. The Secondary SMS object accounts for the Public IP and allows it to be manually selected as log/fetch object. Only issue here is the ever-present "fake" Secondary SMS - which you'll see in a problem state in Monitor.

      As another [untested] idea, you could still define the Static NAT on the SMS object, even if you don't have a local CP GW performing the NAT. The remote GW should still know to use the NAT IP for control.


    cciesec2006, while you're often (maybe even usually) spot on, I think you missed this one. It really points to what I love about technology, and why I've made a career out of it: There's always a way. Of course, that "way" can often be too costly or problematic to be worth it, but it's finding that way that I find thrilling and rewarding. I get excited whenever I hear "it can't be done" or "it will NOT work" ;)


    -E

  7. #7
    Join Date
    2007-06-04
    Posts
    3,158
    Rep Power
    13

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Define a Secondary Management Server Object that has the Public IP as it's IP.

    On the Gateway Object select the Secondary management server object as the Fetch Policy and where to Log.

    Make sure that the Firewall between the Management Server and the Internet does the Static NAT, and is configured to allow the proper services through

    Establish SIC with Gateway.

    Works fine!

    The Gateway before establishing SIC is open to the connection from ANY IP that provides the correct SIC Key. It then takes that IP as the "Management Server" which in this case would be the Public NATed IP.
    When you push the policy down then it knows to send Logs to the Public IP and to Fetch Policy from the Public IP.

    The ICA is the same that connecting too and so SIC works.

    Is why when you move Managed Service Provider that you allow the new ISP's Public IP to connect and then it can push a policy and matches up with the SIC even though the IP address is now different of the Management Server.

    SIC is certificate based NOT IP Address Based.

  8. #8
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,078
    Rep Power
    7

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Quote Originally Posted by mcnallym View Post
    Define a Secondary Management Server Object that has the Public IP as it's IP.

    On the Gateway Object select the Secondary management server object as the Fetch Policy and where to Log.

    Make sure that the Firewall between the Management Server and the Internet does the Static NAT, and is configured to allow the proper services through

    Establish SIC with Gateway.

    Works fine!

    The Gateway before establishing SIC is open to the connection from ANY IP that provides the correct SIC Key. It then takes that IP as the "Management Server" which in this case would be the Public NATed IP.
    When you push the policy down then it knows to send Logs to the Public IP and to Fetch Policy from the Public IP.

    The ICA is the same that connecting too and so SIC works.

    Is why when you move Managed Service Provider that you allow the new ISP's Public IP to connect and then it can push a policy and matches up with the SIC even though the IP address is now different of the Management Server.

    SIC is certificate based NOT IP Address Based.
    This is by far. I've been doing this for a while and works just fine.

  9. #9
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    644
    Rep Power
    11

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Automatic NAT on MGMT object is the best way to go, if control conversions are enabled through implied rolls.

    You can be creative and add dummy objects for NAT-ed MGMT may work but can bring some unwanted implications. Only use it in case of third party address translation.

    Never ever encapsulate SIC into VPN traffic between check point GWs. With implied rules it is out of vpn tunnel, and there are good reasons to have it this way


    Sent from my iPad using Tapatalk
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  10. #10
    Join Date
    2005-08-29
    Location
    Upstate NY
    Posts
    2,720
    Rep Power
    14

    Default Re: Managemnt Server sits behind NAT -SIC issues

    Auto-nat is good when a Check Point is doing the NAT when it isn't a Check Point, as in management on AWS, you need to do the following:

    Manager's object Main IP Address set to the Public IP
    Manager's topology contains all interfaces' primary IP address
    On the OS side add the public IP as an alias to the interface the traffic should traverse.
    On Gaia the command is "add interface eth0 alias 1.2.3.4/32" in the webUI you cannot set a 32 bit netmask.

    There are several other configurations discussed in sk100583

Similar Threads

  1. Any issues reverting from R77.10 to R75.40 on the log server?
    By I_Am_King_Midas in forum SmartView Tracker
    Replies: 2
    Last Post: 2015-04-21, 12:08
  2. Issues with Endpoint MGMT Server
    By Jure_CS in forum Miscellaneous
    Replies: 0
    Last Post: 2011-12-02, 04:10
  3. Standalone to distributed on existing managemnt server??
    By steve_confused in forum Installing And Upgrading
    Replies: 3
    Last Post: 2011-06-30, 06:27
  4. Renaming Server - ICA issues !
    By switzer in forum Installing And Upgrading
    Replies: 3
    Last Post: 2008-06-24, 21:31
  5. Desktop Security/Policy Server logon failure issues issues
    By Clon32 in forum SecureClient/SecuRemote
    Replies: 3
    Last Post: 2006-10-25, 06:32

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •