How does Checkpoint SecuRemote know which traffic to send down the VPN?

Moving from a perfectly-functioning Cisco VPN on which DNS and everything 'just worked' we are now trying to remotely connect to the office via a Checkpoint Edge UTM and SecuRemote-based solution.
There are some instances where we'd like traffic to go down the VPN when it seems to just look out to the internet instead. How does Checkpoint work out what traffic goes down the VPN tunnel and what is dealt with as normal non-VPN traffic? We can get it to force everything down the VPN but this causes other problems.

Any ideas Experts?
Cheers,
Jonny
jonnyITAsked:
Who is Participating?
 
larstrConnect With a Mentor Commented:
Jonny,
Editing userc.C will probably work, but I'm not sure if it's a permanent fix to the problem. In the full CheckPoint firewall there is a setting for automatic topology updates. This setting is AFAIK not present in the sofaware line of products, but if it's enabled it will overwrite your changes to the userc.C file.

I guess you just have to test this and see how it turns out.

Lars
0
 
larstrCommented:
Jonny,
In the directory where you've installed SecuRemote there is a file database\userc.C

This is a text file where all the vpn settings are defined. For your vpn there is a field called "topology" that describes for what networks it should send the traffic down the vpn pipe when the vpn is active.

These topology definitions are normally retrieved automatically from the gateway when you first setup the vpn.

Lars
0
 
jonnyITAuthor Commented:
Ah ok. Is that something that should be configurable on our Checkpoint UTM-1 Edge device, or on the main Checkpoint servers at our parent company?
Regards,
Jonny
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
larstrCommented:
Jonny,
Yes, this is configured in SmartDashboard on the firewall object -> Topology -> VPN Domain.

Lars
0
 
jonnyITAuthor Commented:
Just to clarify: We can't configure this on our device and we have to ask our parent company?
0
 
larstrCommented:
Is the Edge device also configured by the parent company?
0
 
jonnyITAuthor Commented:
I can log into the my.firewall interface and there is a Topology view in Reports/Tunnels/VPN Topology but I can't see where to change the settings though. We have control over NAT and routing rules etc and have created the VPN settings to allow remote computers to connect in, but the box is also connected via a site-to-site VPN at our parent company, so I don't know what power they hold over us!
Cheers for the comments so far,
Jonny
0
 
larstrCommented:
Jonny,
Go to VPN / VPN Sites and edit your vpn site config. It will start a wizard that will have your current settings. After a few steps you will come to "VPN Network Configuration" where you can specify manually what networks you want to push through the vpn instead of loading this config automatically.

Lars
vpn-site-wizard.jpg
sbox-vpn-topology.jpg
0
 
jonnyITAuthor Commented:
This doesn't seem to be the right way round. It seems like these settings are for configuring the Checkpoint Edge device to connect to another network whereas I want to configure the VPN server settings so that I affect what happens when people connect remotely to our Edge device using the SecuRemote software client.
0
 
larstrCommented:
ok.. I guess I misunderstood your question a bit then..

It's not the site-to-site vpn that is the problem, but the client vpn where people use SecuRemote to connect to your Edge box.

By default, the standard topology provided by the edge device would be all of it's internal networks, and I'm not sure if you can change this on the Edge boxes.

Lars
0
 
jonnyITAuthor Commented:
In this case, is there a way I can manually edit the usersc.c file so that traffic to the 192.168.66.x network goes down the tunnel?
Cheers,
Jonny
0
 
jonnyITAuthor Commented:
Just for information's sake then, would I add a section like the code below into the topology section?
:topology (
	: (
		:name (##.44.##.##.##.44.##.##)
		:type (network)
		:ipaddr (192.168.66.0)
		:ipmask (255.255.255.0)

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.