Remote-access Guide

checkpoint remote access route table

by Lance Mertz PhD Published 2 years ago Updated 2 years ago
image

How does remote access work with Check Point?

Remote access is integrated into every Check Point network firewall. Configure client-to-site VPN or set up an SSL VPN Portal to connect from any browser. Provides full access to the corporate network with a VPN client. Provides web-based access without the need to install a VPN client.

How can I get the routing table from a checkpoint?

In checkpoint ? 'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing. If you want to see what route a firewall will take to get to a given destination, try the command 'ip route get <destination>'.

How can I get the routing table of a firewall?

'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing. If you want to see what route a firewall will take to get to a given destination, try the command 'ip route get <destination>'.

How to check if a route is configured on an interface?

When in clish, use "show route all" and, to check on policy-based routing, "show pbr summary". Note: None of those commands will show routes configured on interfaces that are currently down. routed will set up routes on interfaces only if they are up.

image

The Need for VPN Routing

There are a number of scenarios in which a Security Gateway or remote access clients cannot connect directly to another Security Gateway (or clients). Sometimes, a given Security Gateway or client is incapable of supplying the required level of security. For example:

Check Point Solution for Greater Connectivity and Security

VPN routing provides a way of controlling how VPN traffic is directed. VPN routing can be implemented with Security Gateway modules and remote access clients.

Configuring VPN Routing for Remote Access VPN

Common VPN routing scenarios can be configured through a VPN star community, but not all VPN routing configuration is handled through SmartConsole. VPN routing between Security Gateways (star or mesh) can be also be configured by editing the configuration file $FWDIR/conf/vpn_route.conf

Link Selection for Remote Clients

Link Selection is a method used to determine which interface to use for incoming and outgoing VPN traffic and the best possible path for the traffic. Using Link Selection, you choose which IP addresses are used for VPN traffic on each Security Gateway.

Directional VPN in Remote Access Communities

Directional VPN for Remote Access Communities lets you reject connections to or from a specified network object.

How do I check the routing table through command line? In checkpoint ?

How do you check the routing table through command line? In checkpoint ?

Re: How do I check the routing table through command line? In checkpoint ?

How do you check the routing table through command line? In checkpoint ?

Re: How do I check the routing table through command line? In checkpoint ?

'netstat -nr', 'route print', and 'ip route show' will all print the full routing table in various formats. Note that none of them include policy-based routing.

Re: How do I check the routing table through command line? In checkpoint ?

In expert mode, as mentioned above, "ip route show" (ip r sh is enough) or, for completeness, "ip route show table all". When in clish, use "show route all" and, to check on policy-based routing, "show pbr summary". Note: None of those commands will show routes configured on interfaces that are currently down.

How to verify PBR is configured correctly?

Method 1#N#One method of verifying PBR is configured correctly is to use these commands (in Expert mode):#N#To list the policy rules:#N#[Expert@HostName]# ip rule list#N#Based on our example scenario:#N#Each line is a routing rule, with the priority, matching criteria, and action to take.#N#The results show us there are four rules for routing traffic.#N#The second line, with a priority of 1, matches the policy we defined (if we had configured the policy with a priority of 3, it still would have been second in the list, but with a priority of 3).#N#The action for this rule, " lookup 1 ", says traffic matching the specified criteria will be handled according to Action Table with ID 1.#N#To list the action tables:#N#[Expert@HostName]# ip route list table TABLE_ID#N#Based on our example scenario:#N#The results show that traffic destined for 10.1.0.0/16 will be routed via 10.10.10.1 out the interface eth1.

What is policy based routing in Gaia?

Note: For updated information please refer to sk167135 - Policy-Based Routing and Application-Based Routing in Gaia.#N#Policy-Based Routing (PBR) lets the user create routing tables that enable Gaia OS to direct traffic to appropriate destinations by defining a policy to filter the traffic based on one or more of the following:

What is PBR in VSX?

In VSX mode, PBR supports Source IP, Destination IP and Interface, but not the additional parameters (service port and protocol) that were added starting in R77.30.

How to configure a virtual router?

To configure a Virtual Router / Virtual System, you must first change the context to that Virtual Device with the "set virtual-system <VSID>" command. Connect to command line on Gaia OS (over SSH, or console). Log in to Clish. Ensure you have the database lock, so you can change Gaia configuration:

What is PBR routing?

Policy-Based Routing (PBR) static routes have priority over static routes in the OS routing table. When a packet arrives at the OS, the packet is checked for a match to a Policy-Based Rou ting (PBR) static route:

How to add action table in Gaia Portal?

a. Go to Gaia Portal > View Mode > Advanced > Advanced Routing > Policy Based Routing > Add > Action Table and enter the information for the following:

What happens if a packet does not match a PBR?

If the packet does not match a Policy-Based Routing (PBR) static route, the packet is then forwarded according to the priority of the static routes in the OS routing table.

What is a checkpoint capsule workspace?

Capsule Workspace - Use Check Point Capsule Workspace app that creates a secure container on the mobile device to give users access to internal websites, file shares, and Exchange servers.

How to enable devices to connect to the gateway?

To enable devices to connect to the gateway with Capsule Workspace: In SmartConsole, enable and configure Mobile Access on the gateway. From the Gateway Properties, click Mobile Access, and select Mobile Devices and Capsule Workspace.

How does a mobile access gateway work?

You can configure a Mobile Access gateway to be a reverse proxy for Web Applications on your servers, using Mobile Access. Reverse Proxy users browse to an address (URL) that is resolved to the gateway IP address. Then the gateway passes the request to an internal server, according to the Reverse Proxy rules. You control the security level (HTTP or HTTPS) of connections between users and resources.

What is the default URL for mobile access?

Enter the primary URL for the Mobile Access portal. The default is the https:// <IP address of the gateway> /sslvpn. You can use the same IP address for all portals on the gateway with a variation in the path. You can import a p12 certificate for the portal to use for SSL negotiation. All portals on the same IP address use the same certificate.

What happens when you install policy on this security gateway?

Install policy on this security gateway - When you install policy, the changes made by the Mobile Access Wizard become active.

What is mobile access wizard?

The Mobile Access Wizard runs when you enable the Mobile Access blade on a gateway. It lets you quickly allow selected remote users access to internal web or mail applications, through a web browser, mobile device, or remote access client.

What is remote user HTTP?

Remote users that use HTTP are automatically redirected to the portal using HTTPS.

The Basics

The VPN domain is the remote part of interesting traffic, so what can be reached over VPN

1. Phase1 and Phase2 parameters (RA only) and other global settings

Configure high level properties such as timers, allowed auth methods and P1 & P2 settings.

2. VPN Domain (interesting traffic)

Set the Networks that are within the VPN Domain. The first option is for S2S and the second for the Remote access VPN. Alternatively you can set this in the VPN domain and leave the remote access as the default of same as in Gateway .

3. Global Properties for S2S and RA

Gateway Properties » IPSec VPN. Can edit the certificate store (for clientside auth), define interface used for incoming/ outgoing VPN traffic, routing options, number of tunnels and NAT traversal support.

4. Users, User Templates and Usergroups

User Template: Define the Expiration, Authentication methods (when not using cert or PSK), location, time and under Encryption can set a pre-shared key (PSK)

5. VPN Community

Links the gateways and users together. Can only have ONE remote access community (can have multiple S2S) and participants can be User Groups or LDAP Groups.

6. Global Properties for all VPN clients

Gateway Properties » VPN Clients. Set the VPN client types allowed, certificate used for clientside auth, whether to override user authentication method and Office Mode to assign clients IPs (there is a default CP_default_Office_pool )

image
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 1 2 3 4 5 6 7 8 9