Hello Fortinet Community,
Q: In your best practice, what are the steps to set up a FortiGate ↔ Check Point VPN?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
For the first step I’d recommend to fill out a VPN setup sheet with your VPN partner and agree on the settings.
See here: VPN setup sheet template
Cool! What would be the next step?
Created on 05-11-2023 01:21 AM Edited on 05-11-2023 03:12 AM
As a next step I'd personally recommend to start configuring the Check Point.
In Check Point SmartConsole you have to create an Interoperable Device (your FortiGate).
New > Network Object > More > Interoperable Device
There you have to fill in information like the WAN-IP of your FortiGate.
And the local subnet you want to tunnel from the FortiGate to the Check Point under “Topology”.
I would generally advise you to create Network Objects for both, your Check Point local subnet and your FortiGate local subnet to be reachable by VPN.
Best practice: Use Object Names that are self-explanatory.
New > Network
Best practice: Create a host Object with the IP of the WAN interface of your Check Point, in case the main IP of your Check Point Object is the internal IP address. This object can be used in the rulebase when configuring access rules.
New > Host
Created on 05-11-2023 01:39 AM Edited on 05-11-2023 02:23 AM
@Henny : Hi Hendrik, thanks for the best practices!
I guess the next step is to create a VPN community object within Check Point's SmartConsole and then head over to the FortiGate and configure the VPN there as well?
Yes, securely configure the VPN Community, install the Security Policy to your Check Point VPN Gateway and you should the VPN Tunnel in the monitoring with status: Down. After completing the VPN configuration on your FortiGate, the VPN Tunnel should go up.
Created on 05-12-2023 04:08 AM Edited on 05-12-2023 06:00 AM
That’s right @Dannу.
Before you create a VPN-Community make sure that your IPsec VPN-Blase is enabled on your Check Point.
General Properties > Network Security IPsec > VPN
Next step is to create a new VPN Community. (This can be either Star or Mesh VPN)
New > More > VPN Community > Star Community
Best practise: Use a name that is self-explanatory.
Select your two Gateways with the Check Point as the Center Gateway and the FortiGate as the Satelite Gateway.
Select the correct encryption parameters you exchanged with your partner.
Set the shared secret.
Set the correct IKE/IPsec renegotiation times and toggle NAT according to your setup.
After you saved the configuration you’re able to check the state of your VPN tunnel with a SmartConsole Extention where you will be able to see that the tunnel is down because you haven’t configured your FortiGate yet.
Created on 05-12-2023 05:52 AM Edited on 05-12-2023 05:54 AM
Thanks for the detailed guideline!
I´m looking forward to the FortiGate configuration part.
Created on 06-06-2023 03:34 AM Edited on 06-08-2023 11:47 PM
Hi @MarEng,
for the next step you have to configure the VPN on the FortiGate using the custom VPN. First select a Name:
VPN > IPsec Wizard
Enter the Remote Gateways IP Address and the outgoing interface.
Enter the Pre-shared Key you agreed upon as well as IKE-version.
For Phase 1 select the Encryption and Authentication you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
For Phase 2 enter the Local and Remote Address space.
Under Advanced options you can select the Encryption and Authentication method you agreed upon as well as the Diffie-Hellman Group and the Key Lifetime.
In the next step you add new Address objects under
Policy & Objects > Addresses > Create New > Address
For your local subnet:
and for the remote subnet:
for the remote wan:
for your local wan:
You can also add Address Groups if you want to add them to the Firewall Policies instead of the direct Subnets.
Add a static route for your remote subnet pointing to the VPN-Tunnel Interface.
Network > Static Routes > Create New
Add another static Route this time pointing to the Blackhole interface.
Last step is to add Firewall Policies to allow the VPN traffic to pass trough.
Add a New Policies Policy & Objects > Firewall Policy > Create New
First for the traffic going to the VPN-Tunnel from the Port of your Subnet. In this case, NAT is not required.
Then for the traffic coming from the VPN-Tunnel going to the Port of your destination Subnet. In this case NAT not required.
After that, monitor your VPN-tunnel. To check your VPN tunnel health you have to add a new Dashboard-Widget called IPsec
Dashboard > Status > Add Widget
Now, your are able to check Phase 1 and Phase 2 status.
You can then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.
After this you can check on your FortiGate and Check Point if the tunnel was succsefull brought up.
On the Check Point you’re able to check the state of your VPN tunnel with a SmartConsole Extention. Where you are able to see that this tunnel is up too.
Thanks, this is really helpful!
Any VPN troubleshooting best practices to know?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.