Thursday, December 19, 2019

CheckPoint Firewalls: VPN Rules and VPN Compatability

I'm a Network Admin for a company that invested in CheckPoint firewalls a few years ago. We have a couple of issues I was wondering if anyone else had experience wtih. (1) Is there an easy way to apply firewall rules to VPNs? (2) Has anyone else had site-to-site VPN issues between CheckPoint and SonicWall manufacturers?

Regarding issue (1), with our old (and missed) Cisco ASA the concepts of a site-to-site VPN and firewall rules were decoupled. If you wanted to create a firewall rule you would simple say something like src:10.1.1.1 dst:10.2.2.2 service:tcp/22 allow. If that traffic happened to be coming over a VPN, or from DMZ > Inside zone, it didn't really matter. I spoke with a tech support agent at CheckPoint about this and they told me to achieve the same level of granularity I'd basically have to create a new VPN rule for each traffic flow. I'm curious if anyone with CheckPoint fierwall experience can speak to this; maybe there's an alternative?

As far as issue (2), we have around 15 site-to-site VPN's, and we constantly had issues with two of our VPNs that happend to be terminating to SonicWall devices. After a few months of troubleshooting and not finding much, we ended up moving the VPN's to our older Cisco ASA's and the issues immediately stopped. When the issue would occur, the remote end would be unable to initiate traffic to bring the tunnel up. I would have to log into a server and send a PING or other type of traffic to bring the tunnel up, and then bidirectional traffic would flow just fine from anywhere between 4hrs to a few days. I'm mainly curious if anyone else experienced this issue and, if so, if you ever found a solution.



No comments:

Post a Comment