User access via IPSEC fails after Cloud SWG maintenance completes
search cancel

User access via IPSEC fails after Cloud SWG maintenance completes

book

Article ID: 265729

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG with IPSEC access method.

PAC file pushed out to all users proxying traffic to proxy.threatpulse.com:8080.

On the morning of May 10, no users could access internet sites going through GGBLO1 (maintenance carried out the previous night).

Cloud SWG Portal reported the IPSEC tunnel as down.

 

Environment

  • IPSEC Access method.
  • Checkpoint R81.10 release.
  • IKEv1 Protocol.
  • DCQ-based authentication based on client IP address.

Cause

Explicit traffic over IPSEC must point to ep.threatpulse.com:80 (or 199.19.250.205:80) and not proxy.threatpulse.com as per the documentation.

Also changed the Checkpoint configuration to address a peering IP address issue per their KB article.

Resolution

Always send explicitly proxies traffic over an IPSEC tunnel to the ep.threatpulse.com:80 endpoint.

With Checkpoint firewalls, make sure that the peer IP address sent over to Cloud SWG matches that configured in the Cloud SWG IPSEC location IP address field using the following setup:

Additional Information

The checkpoint firewall was sending an invalid IP address as it had the following setting enabled for peer IP address selection, which took the IP address from the Generic Properties section and NOT the egress IP address Cloud SWG saw the connections come in from.