PPTP/GRE enforcement and NAT require inspection of PPTP/GRE packet header data and do not support encrypted GRE tunnels that encrypt the GRE header payload.
GRE protocol (Protocol #47) does not use ports. For this and other reasons, there are technical difficulties attempting to NAT encrypted GRE traffic.
Until NG AI HFA_10, and the existence of the IPS protection "Non Compliant PPTP" (formerly known as SmartDefense protection "PPTP Enforcement"), it was not possible to create multiple sessions with a PPTP server while the clients were hidden using Hide NAT.
Activate the relevant IPS protection to enable PPTP parsing enforcement, which also allows the Security Gateway to support PPTP/GRE traffic over Hide-NAT.
This solution describes how to configure R70 (and above) Security Gateway to allow PPTP/GRE clients behind NAT to connect to remote PPTP server. This solution depends on IPS to inspect and better understand the PPTP / GRE traffic to allow NAT to function correctly. This, therefore, requires appropriate IPS licenses.
Important: Starting from R80 PPTP_TCP has been removed as a deprecated protocol per sk103766. If this protocol is required, please contact your Sales Engineer or submit a Request for Enhancement.
Procedure:
Follow these steps in SmartDashboard:
-
Edit the PPTP Client/PPTP Network object:
- Open the PPTP Client/PPTP Network object properties.
- Go to '
NAT' tab.
- Check the box
Add Automatic Address Translation rules.
-
Select NAT Translation Method:
- In the '
Translation Method' field, select Hide.
- Select either the
Hide behind Gateway, or Hide behind IP Address.
- Click on '
OK' to close the object properties window.
Example:
-
Create a Security Rule to allow connections to the PPTP Server - use the 'PPTP' service:
-
Edit the Security Gateway object:
- Open the Security Gateway properties.
- Go to
General Properties pane.
- Enable the
IPS blade (check the box 'IPS').
- Click on '
OK' to close the object properties window.
Example:
-
Configure the IPS protection "Non Compliant PPTP":
- Go to
IPS tab.
- In the left pane, click on
Protections.
- In the
Look for field, type PPTP and press Enter.
- Right-click on the IPS protection "
Non Compliant PPTP" - click on Details....
- On the
General tab, select the relevant IPS profile - click on Edit....
-
In the Main Action section:
- Select
Override IPS Policy with
- Select
Detect
- Click on '
OK' to close the protection settings window.
- Click on '
OK' to close the protection details window.
Example:
- Save the changes: go to '
File' menu - click on 'Save'.
- Install the Security policy onto Security Gateway.
- Verify the PPTP connection.
For R80.10 or above:
Configure the IPS Protection "Non Compliant PPTP":
1. In left Pane of Smart Console, go to "MANAGE & SETTINGS"
2. Go to Blades > General > Inspection Settings...
3. In the Look for field, type PPTP and press Enter
4. Right click Non Compliant PPTP and Edit
5. In the required profile(default/recommended which is applied on gateway)
6. Select Override with Action:
7. In Drop down menu > select "Accept" > press "ok"
8. Install policy.
Limitation:
To allow the PPTP traffic to pass, Security Gateway must have the IPS Software Blade enabled in its 'General Properties' pane. IPS Software blade requires a separate license to be installed on Security Gateway and on Security Management Server / Domain Management Server.
Check Point 600 appliances and Locally Managed 1100/1200R appliances
- Starting from R75.20.66, to enable PPTP parsing enforcement that also allows the Security Gateway to support PPTP/GRE traffic over Hide-NAT, go to the "Users & Objects" tab under "Network Resources" -> "Services".
- Edit the PPTP_TCP built-in Service object and make sure that the "Disable inspection for this service" checkbox is NOT selected.
