Check Point¶
This guide covers the Check Point-specific steps (R8x, SmartConsole) needed to allow the RTA to reach its control plane.
Note
For the full background — what the RTA connects to, why standard "allow port 443 outbound" rules are not enough, and the two failure modes (HTTPS Inspection and Application Control) — see the firewall troubleshooting overview.
1. Create a destination object¶
The RTA connects to connect.remotetesting.secureworks.com over TCP 443 using OpenVPN (not HTTPS). Because the service is fronted by AWS Global Accelerator, the IP addresses can change; allowlist by FQDN, not by IP.
In SmartConsole, open Objects > New > Network Object > Domain (or use Updatable Objects if your gateway version supports it):
- Name:
rta-connect-endpoint - Domain name:
connect.remotetesting.secureworks.com
A Check Point Domain object resolves at policy installation time and matches the FQDN in DNS lookups performed by the gateway. Updatable Objects (available on R81+) pull live feeds from the Check Point cloud and are an equally valid alternative.
2. HTTPS Inspection bypass¶
Even if a security rule permits port 443 outbound, the HTTPS Inspection blade will attempt to intercept and re-sign the TLS session. Because the RTA tunnel is OpenVPN (not TLS), the gateway cannot complete the SSL handshake and will reset the connection.
Open Security Policies > HTTPS Inspection and add a Bypass rule above any catch-all inspect rule:
| # | Source | Destination | Service | Action |
|---|---|---|---|---|
| (new) | Any (or appliance network) | rta-connect-endpoint |
HTTPS (443) | Bypass |
Steps:
- In the HTTPS Inspection policy, click Add Rule (top of the rule base).
- Set Destination to the
rta-connect-endpointDomain object created above. - Set Action to Bypass.
- Add a comment, e.g.
Allow RTA OpenVPN tunnel — not HTTPS.
Warning
The bypass must be placed above any rule that would otherwise inspect or drop traffic on TCP/443 to this destination. A bypass rule that is never matched because a drop rule is higher does not help.
3. Application Control, URL Filtering, and IPS¶
3a. Application Control / URL Filtering¶
Check Point's Application Control blade can classify the OpenVPN flow (or flag it as "non-standard application on port 443" / "anonymizer") and apply a separate drop action. Add an explicit Allow rule in the Application Control & URL Filtering policy:
| # | Source | Destination | Application/Site | Action |
|---|---|---|---|---|
| (new) | Any (or appliance network) | rta-connect-endpoint |
OpenVPN and Any (see note) | Allow |
Steps:
- Open Security Policies > Application Control & URL Filtering.
- Add a rule above any blocking rule for anonymizers or unrecognized applications.
- Set Destination to
rta-connect-endpoint. - In the Application/Site column, add the OpenVPN application object (search for "OpenVPN" in the application library). Also add any relevant categories your policy blocks (e.g., Anonymizers, Encrypted Tunnel) so the explicit allow covers them.
- Set Action to Allow.
Tip
If the OpenVPN application is not yet in your library, navigate to Objects > Application/Site > New and create a custom application matching TCP/443 to connect.remotetesting.secureworks.com, then use that object in the rule.
3b. IPS exception (if IPS blade is active)¶
The Check Point IPS blade includes protections that flag tunneled or anonymizer traffic. If IPS is enabled, add a protection exception for the RTA destination:
- Open Security Policies > IPS > Exception.
- Add an exception scoped to Destination =
rta-connect-endpointand Protection = Tunneling Protocols (or the specific triggered protection shown in logs). - Set the exception Action to Inactive (bypass IPS inspection for this traffic).
4. Install policy and verify¶
Install Policy¶
Changes in Check Point do not take effect until the policy is pushed to the gateway. After saving all rule edits:
- Click Install Policy in SmartConsole.
- Select the relevant policy package and target gateway(s).
- Confirm the installation completes without errors.
Verify connectivity¶
From a host on the same network segment as the RTA appliance, confirm the port is reachable:
nc -vz connect.remotetesting.secureworks.com 443
Expected output:
Connection to connect.remotetesting.secureworks.com 443 port [tcp/https] succeeded!
If the connection times out or is refused, proceed to Logs & Monitor (see below).
After the RTA is powered on and the policy is installed, allow 60–90 seconds for the OpenVPN tunnel to negotiate. Confirm the tunnel is stable (it will reconnect automatically if the gateway is rebooted; no action needed on the RTA itself).
Confirm in SmartConsole Logs & Monitor¶
- Open Logs & Monitor > Logs.
- Filter by Destination = connect.remotetesting.secureworks.com.
- Confirm traffic shows Action: Accept and HTTPS Inspection: Bypass.
- If you see Action: Drop with blade Application Control or HTTPS Inspection, the corresponding rule above is either missing, below a blocking rule, or the policy has not been installed yet.