Management traffic sent as clear text even when configured to be sent via VPN tunnel
THINGS TO CONSIDER BEFORE THIS CHANGE:
1. Configuring policy push to remote gateways via VPN is simply a problematic idea. Should the VPN tunnel between the local and remote gateway fail, the ability to troubleshoot and ultimately push policy to restore the VPN tunnel will be lost.
2. All management traffic to any Check Point/OPSEC device is already encrypted by design via SIC. Any device that wants to communicate/receive communication to or from the management server must have SIC established. Once SIC is established, an impostor cannot send, receive, or intercept communication meant for Check Point/OPSEC devices. This is because the SIC certificate itself is created by the ICA (Internal Certificate Authority) and requires authentication with the matching SIC activation key.
SIC also requires data integrity ensuring that the communication has not been altered in any form. The firewalls simply have automatic implied rules that disallow any impostors to communicate with them via implied rules and SIC upon initial configuration. SIC communication is encrypted by standard SSL (443) and uses AES128 cipher algorithm.
In order to have the functionality of management traffic over VPN you need to edit the FWDIR/lib/implied_rules.def on the SmartCenter Server and then create a rule that allows this service between the sites.