Support Center > Search Results > SecureKnowledge Details
Management traffic is sent as clear text even when it is configured to be sent via VPN tunnel Technical Level
Symptoms
  • When the user attempts to push policy to a remote Security Gateway via VPN, it is unsuccessful.

Cause

Consider the following before you make this change:

1. Configuring policy push to remote Security Gateways via VPN is problematic. Should the VPN tunnel between the local and remote Security Gateway fail, the ability to troubleshoot and ultimately push policy to restore the VPN tunnel will be lost.

2. All Management traffic to any Check Point/OPSEC device is already encrypted by design via SIC. Any device that communicates/receives communication to or from the Security Management Server must have SIC established.  Once SIC is established, an impostor cannot send, receive, or intercept communication meant for Check Point/OPSEC devices. This is because the SIC certificate itself is created by the Internal Certificate Authority (ICA) and requires authentication with the matching SIC activation key.  

SIC also requires data integrity ensuring that the communication has not been altered in any form. The Security Gateways have automatic implied rules that prevent any impostors from communicating with them via implied rules and SIC upon initial configuration. SIC communication is encrypted by standard SSL (443) and uses AES128 cipher algorithm.

In order to have the functionality of Management traffic over VPN, you must edit the FWDIR/lib/implied_rules.def on the SmartConsole Server and then create a rule that allows this service between the sites.


Solution
Note: To view this solution you need to Sign In .