Hello Fortinet Community,
Q: In your best practice, what are the steps to set up a FortiGate ↔ Check Point VPN?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Danny,
I hope you are referring to a site to site vpn configuration between Fortigate and Checkpoint. Once you have the phase 1 and phase 2 parameter information from both the peers, you can follow the below link to set up VPN from Fortigate end
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-VPN-Site-to-Site-between/...
With regards to the configuration on Checkpoint, you might have to get the steps from them.
Regards,
Vimala
Created on 05-11-2023 01:27 AM Edited on 05-11-2023 01:33 AM
@kvimaladevi : Your link points to an oudated article that neither mentions Check Point nor any Best Practices regarding a VPN setup between FortiGate and Check Point.
Hi Danny,
There is no specific document explaining about VPN configuration between "FortiGate" and "Check Point".
The article has steps to configure site to site VPN, you can use the custom option.
Regards,
Vimala
On the FGT side, most best practices mentioned also apply:
- create address objects for the networks to be proteced, and those on the CP
to be used here:
- in the phase2
- in static route
- in the policy
This way, you only have to edit one central object to change the network definition, or add more networks.
Be careful when you need to tunnel multiple networks. Some firewalls allow the use of an address group in phase2, like the FGT. Some will only allow one phase2 definition for each network, like a Cisco ASA. Check that with CP.
Also, check if you can use IKEv2, or IKEv1 only. You need to know in advance.
All other IKE and IPsec parameters are pretty common, just make sure they match. On the FGT side, I would not offer a zillion proposals, just the one I know will be supported and be safe enough for my purposes.
The only parameter which might be difficult to implement is DPD. There are vendors who do not support this, or in a different fashion.
All 3 configs mentioned above are needed before an IPsec tunnel will come up in FortiOS. Specifically, no policy - no tunnel.
And, lastly, the one Best Practice for VPNs above all: install blackhole routes for all private networks! I've been posting this several times on this forum with explanations, you might find it useful.
Ah, here it is:
https://community.fortinet.com/t5/Support-Forum/Re-evaluate-sessions/m-p/7866?m=120834#120872
I even supplied a batch file for that.
Great illustrations and explanation. For those who know both FGT and CP, the most important catch in configuring IPSec is that Checkpoint will not accept 0.0.0.0/0 as encryption domain from the Fortigate in its usual domain-based VPN set up. Either use specific selector(s) on Fortigate that will match what Checkpoint expects, or use route-based VPN on CP (with VTI and routes).
Thanks Danny, it helped me to established First S2S VPN with FortiGate and CP.
Appreciated.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.