You could just exclude the specific Check Point management services from the VPN instead. I've had to do this to get remote Edge management working properly. I don't have any remotely managed firewalls, but I'd guess that it'd work the same.
> -----Original Message----- > From: Mailing list for discussion of Firewall-1 > [mailto:[EMAIL PROTECTED] On Behalf > Of Sergio Alvarez > Sent: Tuesday, August 14, 2007 9:49 AM > To: [email protected] > Subject: Re: [FW-1] Deploying new gateway to be remotely managed. > > Something I'm thinking that might work, is exclude the SMC from the > encryption domain. > > I have not used them much, but I know you can create a group > with exclusion > and I'm thinking that if you already have a manually defined > group for the > VPN domain and create a new one that excludes the SMC from > it, the firewall > will not try to encrypt traffic from the SMC to the remote > gateway and you > can keep it right where it is right now. > > Hope this helps. > > > On 8/14/07, cisco4ng <[EMAIL PROTECTED]> wrote: > > > > I think I see your problem. You're trying to manage the > remote firewall > > and > > also have IPSec vpn between the two firewalls and that the SMC is > > sitting > > behind one of those firewalls. What you're trying to do > will NOT work, > > unless you're using "traditional mode" and not > "simplified mode" vpn. > > You're using simplified mode correct? If so, the > firewall itself will > > be > > part of the encryption domain as well. That's not the case in > > traditional mode. > > > > When you tried to ssh to the remote firewall from the > SMC, it triggers > > the vpn tunnel. that's why it will not work. Unless > someone here have > > a better idea, I just don't think what you're trying to > achieve here > > will work. > > > > I think the best solution is to put your SMC in the DMZ > with public IP > > address and route through the firewall. That way, you > don't have to > > worry about NAT and it is a much cleaner setup. > > > > The setup that you have, the SMC is also part of the > encryption domain > > with the remote managed firewall and I don't think SMC is > designed to > > work that way. > > > > > > > > Alan Choyna <[EMAIL PROTECTED]> wrote: > > Everything is already as you defined it Cisco4ng. > > > > The SMC is NAT'd to an external IP, and l do have a rule allowing > > full bi-directional traffic on both firewalls policies. > > > > l do not get the policy installing on the remote gateway > which is great > > news. > > > > When l try to connect to it from the SMC server l get the > following error: > > > > Number: 38960 > > Date: 14Aug2007 > > Time: 8:55:57 > > Product: VPN-1 Power/UTM > > Interface: eth6 > > Origin: fw1box-1 > > Type: Log > > Action: Drop > > Protocol: tcp > > Service: ssh (22) > > Source: backup (10.1.1.3) > > Destination: fw1dc2 (10.2.2.1) > > Rule: 38 > > NAT rule number: 149 > > NAT additional rule number: 0 > > Source Port: 44768 > > Destination Key ID: 0x00000000 > > XlateSrc: fw1box-cluster (11.222.333.211) > > XlateSPort: 12075 > > Encryption Scheme: IKE > > VPN Peer Gateway: fw1dc2 (33.222.111.182) > > Encryption Methods: ESP: AES-128 + MD5 > > Community: suntimes_IDC > > Information: encryption fail reason: > > Packet is dropped because there is no valid SA - please refer to > > solution sk19423 in SecureKnowledge Database for more information > > > > Do l need to create a VPN tunnel between the 2 firewalls as well for > > other access? > > > > Thanks for the help so far. > > > > Alan > > > > > > At 04:57 PM 8/13/2007, cisco4ng wrote: > > >let me give you an example: > > > > > >smc--FW_A----Internet----FW_B > > > > > >let say smc has an IP address of 10.1.1.10/24. > > >Internal interface of FW_A has an ip of 10.1.1.1 > > >Now you want to manage both FW_A and FW_B via > > >the smc. > > > > > >1) go into the smartdashboard, select the > > >smc object, under the NAT section, select the > > >box "apply for VPN-1 Pro/Express control connections" > > >and then enter the public IP address that you will > > >NAT the smc to. Under install, select FW_A is the > > >one that you will NAT to. > > > > > >2) create a bi-directional rule to allow service > > >of "Any" between the smc and FW_B (just for testing). > > > > > >3) Once that is done, push policy to FW_A > > >firewall. Now the smc will be able to communicate > > >with FW_B and vice versa. You should be able to > > >SCI between FW_B and smc. > > > > > >Keep in mind that under that NAT of the smc, if you > > >select "install on gateway" to "all", it will NOT > > >work. It should be to FW_A only. > > > > > >Alan Choyna wrote: > > >Thanks for the responses. They're greatly appreciated. > > > > > >Just to clarify, the SMC is the Smart Management Center. right? > > > > > >l went to the management server object and selected "Apply > for VPN-1 > > >Power/UTM Control Connections", but it would not let me > save it saying: > > > > > >"Applying NAT on VPN-1 Power/UTM control connections is > allowed only > > >when the rule is installed on a single gateway". > > > > > >The install on Gateway is set to "all". > > > > > >l have installed the license on the new gateway using Smart Update, > > >and yes SIC is working fine. > > > > > >When l check the new gateway after attempting to push policy (it > > >fails with a timeout), l see that "fw stat" shows the right policy > > >but l cannot access the outside world from the inside > networks of the > > >new gateway, not from the gateway itself. SIC is also lost as the > > >gateway does not seem to accept any connection. > > > > > >when l unload the local policy l can access the outside world only > > >form the new gateway, and SIC is re-established. > > > > > >This is driving me crazy. > > > > > >The rules l have for he new policy (that is only pushed to > the remote > > >gateway) allow for connectivity between the management networks of > > >the original data center to any of the networks behind the new > > >gateway. l also have a rule allowing all outbound from the networks > > >behind the new gateway, yet nothing seems to work. > > > > > >Help!!!!! > > > > > >Al > > > > > > > > >At 12:25 PM 8/13/2007, Sergio Alvarez wrote: > > > >Deploying a remote gateway is similar to work on any distributed > > > >environment, just bare in mind that if you go through > Internet, NAT > > will be > > > >envolved in the communication between this new box and your > > Smartcenter. > > > > > > > >- The NAT tab of the SMC object has a check mark you > must check to > > apply the > > > >NAT rule to CP control connections > > > >- You will need a static NAT for the SMC to be able to > receive logs > > from the > > > >external gateway > > > >- Off course you must make sure security policies on any > other gateways > > > >between SMC and remote gateway have required rules to > allow traffic on > > both > > > >ways > > > >- Regarding the configuration of security rules for this > particular > > remote > > > >gateway, just make sure only rules that are supposed to > be used by it > > have > > > >the corresponding object in the "install on" column of > the rule base. > > > > > > > >If you were already able to establish SIC, you should > also be able to > > use > > > >SmartUpdate to attach the corresponding license. > > > > > > > >About the issue with Web Intelligence, the other guys > above me have > > already > > > >touched all possibilities... I think. > > > > > > > >Hope this helps... > > > > > > > >Regards > > > > > > > >On 8/12/07, Jean-Paul Baillon wrote: > > > > > > > > > > Remotely managed gateway = Distributed Installation > > > > > > > > > > You will find a lot of docs on CP website > > > > > > http://www.checkpoint.com/support/technical/documents/index.html > > > > > > > > > > > > > > > JP > > > > > > > > > > -----Original Message----- > > > > > From: Mailing list for discussion of Firewall-1 > > > > > [mailto:[EMAIL PROTECTED] > On Behalf Of > > Alan > > > > > Choyna > > > > > Sent: Monday, 13 August 2007 9:10 AM > > > > > To: [email protected] > > > > > Subject: Re: [FW-1] Deploying new gateway to be > remotely managed. > > > > > > > > > > Thanks Ray (and Sin) for your advice. > > > > > > > > > > Is there an SK for building and deploying a policy > for a remotely > > > > > managed gateway? or can anyone give me the basics? > > > > > > > > > > Thanks in advance, > > > > > > > > > > Alan > > > > > > > > > > At 05:15 PM 8/12/2007, Ray wrote: > > > > > >There's an SK article on what protections require a > WI license. > > > > > >CPMAD, SQL Injection, LDAP Injection, and one other > thing, if I > > recall > > > > > >correctly. If you un-check those, you should be OK. > > > > > > > > > > > >Web Intelligence's biggest failing is that it does > not work on SSL > > > > > >traffic, which is where you really want to protect > this kind of > > stuff. > > > > > >FW-1 can't do SSL termination, which severely limits > its inspection > > > > > >ability. > > > > > > > > > > > >Apparently there used to be an add-in OPSEC card > that did allow > > FW-1 to > > > > > > > > > > >do SSL inspection, but the vendor got bought out > late last year and > > the > > > > > > > > > > >product was discontinued. > > > > > > > > > > > >Ray > > > > > > > > > > > > > > > > > >>From: Alan Choyna > > > > > >>Reply-To: Mailing list for discussion of Firewall-1 > > > > > >> > > > > > >>To: [email protected] > > > > > >>Subject: [FW-1] Deploying new gateway to be > remotely managed. > > > > > >>Date: Sat, 11 Aug 2007 14:41:48 -0500 > > > > > >> > > > > > >>Hi Guru's, > > > > > >> > > > > > >>We've just built a new SPLAT R62 gateway at a new > data center to > > be > > > > > >>remotely managed by a management server (with the > same version of > > > > > >>R62) at another data center. > > > > > >> > > > > > >>l was able to SIC the new gateway to the management > server, so it > > is > > > > > >>now ready to have a policy pushed to it. > > > > > >> > > > > > >>This is our first experience of setting up a > remotely managed > > gateway, > > > > > > > > > > >>and l don;t know how to set up it's policy on the management > > server. > > > > > >> > > > > > >>Can some please advise on the initial configuration > of the policy > > for > > > > > >>the new gateway on the management server? > > > > > >> > > > > > >>After getting SIC with the new gateway on the > management server l > > > > > >>cannot push policy to the cluster even when > de-selecting the new > > > > > >>gateway. l get the error message: > > > > > >> > > > > > >>Security and Address Translation Policy Verification: > > > > > >>Additional licenses for Web Intelligence are required. > > > > > >>You have (0) Web Intelligence license installed, > while (1) gateway > > is > > > > > >>.involved in Web Intelligence protection. > > > > > >> > > > > > >>How do l disable web Intelligence on the new > gateway? Since l > > cannot > > > > > >>connect to it remotely as yet (no policy). l have not yet > > installed > > > > > >>it's correct license, it's still running on the > eval license for > > now. > > > > > >> > > > > > >>Thanks in advance for your advise, > > > > > >> > > > > > >>Alan > > > > > >> > > > > > >> > > > > > >>Alan C. Choyna > > > > > >>Director of Infrastructure > > > > > >> > > > > > >>Pathfinder Associates, LLC > > > > > >> > > > > > >>http://www.pathfinderassoc.com > > > > > >>Internet Strategy Business Consultants > > > > > >>mailto:[EMAIL PROTECTED]> achoyn> >>[EMAIL PROTECTED]>.com > > > > > >> > > > > > >>Business telephone (312) 372-1058 ext 6003. Mobile > (773) 255-6662 > > > > > >> > > > > > >> > > > > > >>================================================= > > > > > >>To set vacation, Out-Of-Office, or away messages, > send an email to > > > > > >>[EMAIL PROTECTED] > > > > > >>in the BODY of the email add: > > > > > >>set fw-1-mailinglist nomail > > > > > >>================================================= > > > > > >>To unsubscribe from this mailing list, please see > the instructions > > at > > > > > >>http://www.checkpoint.com/services/mailing.html > > > > > >>================================================= > > > > > >>If you have any questions on how to change your subscription > > options, > > > > > >>email [EMAIL PROTECTED] > > > > > >>================================================= > > > > > > > > > > > > >_________________________________________________________________ > > > > > >Tease your brain--play Clink! Win cool prizes! > > > > > >http://club.live.com/clink.aspx?icid=clink_hotmailtextlink2 > > > > > > > > > > > >================================================= > > > > > >To set vacation, Out-Of-Office, or away messages, > send an email to > > > > > >[EMAIL PROTECTED] > > > > > >in the BODY of the email add: > > > > > >set fw-1-mailinglist nomail > > > > > >================================================= > > > > > >To unsubscribe from this mailing list, > > > > > >please see the instructions at > > > > > >http://www.checkpoint.com/services/mailing.html > > > > > >================================================= > > > > > >If you have any questions on how to change your subscription > > options, > > > > > >email [EMAIL PROTECTED] > > > > > >================================================= > > > > > > > > > > ================================================= > > > > > To set vacation, Out-Of-Office, or away messages, > send an email to > > > > > [EMAIL PROTECTED] > > > > > in the BODY of the email add: > > > > > set fw-1-mailinglist nomail > > > > > ================================================= > > > > > To unsubscribe from this mailing list, > > > > > please see the instructions at > > > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================= > > > > > If you have any questions on how to change your subscription > > options, > > > > > email [EMAIL PROTECTED] > > > > > ================================================= > > > > > > > > > > > > > > > > > > > > ############################################################## > ####################### > > > > > Important: This electronic message and attachments > (if any) are > > > > > confidential > > > > > and may be legally privileged. If you are not the > intended recipient > > do > > > > > not > > > > > copy, disclose or use the contents in any way. Please > let us know by > > > > > return > > > > > e-mail immediately and then destroy this message. > > > > > > > > > > > > > > > > > > > > ############################################################## > ####################### > > > > > > > > > > ================================================= > > > > > To set vacation, Out-Of-Office, or away messages, > > > > > send an email to [EMAIL PROTECTED] > > > > > in the BODY of the email add: > > > > > set fw-1-mailinglist nomail > > > > > ================================================= > > > > > To unsubscribe from this mailing list, > > > > > please see the instructions at > > > > > http://www.checkpoint.com/services/mailing.html > > > > > ================================================= > > > > > If you have any questions on how to change your > > > > > subscription options, email > > > > > [EMAIL PROTECTED] > > > > > ================================================= > > > > > > > > > > > > > > > > > > > > >-- > > > >Sergio Alvarez > > > >(506)8301342 > > > > > > > >================================================= > > > >To set vacation, Out-Of-Office, or away messages, > > > >send an email to [EMAIL PROTECTED] > > > >in the BODY of the email add: > > > >set fw-1-mailinglist nomail > > > >================================================= > > > >To unsubscribe from this mailing list, > > > >please see the instructions at > > > >http://www.checkpoint.com/services/mailing.html > > > >================================================= > > > >If you have any questions on how to change your > > > >subscription options, email > > > >[EMAIL PROTECTED] > > > >================================================= > > > > > >================================================= > > >To set vacation, Out-Of-Office, or away messages, > > >send an email to [EMAIL PROTECTED] > > >in the BODY of the email add: > > >set fw-1-mailinglist nomail > > >================================================= > > >To unsubscribe from this mailing list, > > >please see the instructions at > > >http://www.checkpoint.com/services/mailing.html > > >================================================= > > >If you have any questions on how to change your > > >subscription options, email > > >[EMAIL PROTECTED] > > >================================================= > > > > > > > > > > > >Choose the right car based on your needs. Check out > > >Yahoo! > > >Autos new Car Finder tool. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > > > --------------------------------- > > Fussy? Opinionated? Impossible to please? Perfect. Join > Yahoo!'s user > > panel and lay it on us. > > > > ================================================= > > To set vacation, Out-Of-Office, or away messages, > > send an email to [EMAIL PROTECTED] > > in the BODY of the email add: > > set fw-1-mailinglist nomail > > ================================================= > > To unsubscribe from this mailing list, > > please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > ================================================= > > If you have any questions on how to change your > > subscription options, email > > [EMAIL PROTECTED] > > ================================================= > > > > > > -- > Sergio Alvarez > (506)8301342 > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [EMAIL PROTECTED] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [EMAIL PROTECTED] > ================================================= > ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
