Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Best Practice: How to setup a VPN between FortiGate & Check Point

Hello Fortinet Community,

Q: In your best practice, what are the steps to set up a FortiGate Check Point VPN?

New Contributor II

For the first step I’d recommend to fill out a VPN setup sheet with your VPN partner and agree on the settings.

See here: VPN setup sheet template



New Contributor

Cool! What would be the next step?

New Contributor II

As a next step I'd personally recommend to start configuring the Check Point.


In Check Point SmartConsole you have to create an Interoperable Device (your FortiGate).

New > Network Object > More > Interoperable Device

There you have to fill in information like the WAN-IP of your FortiGate.




And the local subnet you want to tunnel from the FortiGate to the Check Point under “Topology”.




I would generally advise you to create Network Objects for both, your Check Point local subnet and your FortiGate local subnet to be reachable by VPN.
Best practice: Use Object Names that are self-explanatory.

New > Network



Best practice: Create a host Object with the IP of the WAN interface of your Check Point, in case the main IP of your Check Point Object is the internal IP address. This object can be used in the rulebase when configuring access rules.

New > Host


New Contributor III

@Henny : Hi Hendrik, thanks for the best practices!

I guess the next step is to create a VPN community object within Check Point's SmartConsole and then head over to the FortiGate and configure the VPN there as well?

New Contributor II

Yes, securely configure the VPN Community, install the Security Policy to your Check Point VPN Gateway and you should the VPN Tunnel in the monitoring with status: Down. After completing the VPN configuration on your FortiGate, the VPN Tunnel should go up.

New Contributor II

That’s right @Dannу.


Before you create a VPN-Community make sure that your IPsec VPN-Blase is enabled on your Check Point.


General Properties > Network Security IPsec > VPN 


Next step is to create a new VPN Community. (This can be either Star or Mesh VPN)


New > More > VPN Community > Star Community

Best practise: Use a name that is self-explanatory.

Select your two Gateways with the Check Point as the Center Gateway and the FortiGate as the Satelite Gateway.



Select the correct encryption parameters you exchanged with your partner. 



Set the shared secret.



Set the correct IKE/IPsec renegotiation times and toggle NAT according to your setup.



After you saved the configuration you’re able to check the state of your VPN tunnel with a SmartConsole Extention where you will be able to see that the tunnel is down because you haven’t configured your FortiGate yet.


New Contributor II

Thanks for the detailed guideline!
I´m looking forward to the FortiGate configuration part.

New Contributor II


Hi @MarEng

for the next step you have to configure the VPN on the FortiGate using the custom VPN. First select a Name:

VPN > IPsec Wizard




Enter the Remote Gateways IP Address and the outgoing interface.




Enter the Pre-shared Key you agreed upon as well as IKE-version.




For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.




For Phase 2 enter the Local and Remote Address space.




Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.




In the next step you add new Address objects under
Policy & Objects > Addresses > Create New > Address




For your local subnet:




and for the remote subnet:




for the remote wan:




for your local wan:




You can also add Address Groups if you want to add them to the Firewall Policies instead of the direct Subnets.

Add a static route for your remote subnet pointing to the VPN-Tunnel Interface.
Network > Static Routes > Create New




Add another static Route this time pointing to the Blackhole interface.




Last step is to add Firewall Policies to allow the VPN traffic to pass trough.
Add a New Policies Policy & Objects > Firewall Policy > Create New




First for the traffic going to the VPN-Tunnel from the Port of your Subnet. In this case, NAT is not required.




Then for the traffic coming from the VPN-Tunnel going to the Port of your destination Subnet. In this case NAT not required.




After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec
Dashboard > Status > Add Widget




Now, your are able to check Phase 1 and Phase 2 status.




You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.




After this you can check on your FortiGate and Check Point if the tunnel was succsefull brought up.




On the Check Point you’re able to check the state of your VPN tunnel with a SmartConsole Extention. Where you are able to see that this tunnel is up too. 


New Contributor III

Thanks, this is really helpful!
Any VPN troubleshooting best practices to know?