Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor III

Best Practice: How to setup a VPN between FortiGate & Check Point

Hello Fortinet Community,

Q: In your best practice, what's the 1st step to set up a FortGate Check Point VPN?

New Contributor III

@kvimaladevi : Your link points to an oudated article that neither mentions Check Point nor any Best Practices regarding a VPN setup between FortiGate and Check Point.


Hi Danny,


There is no specific document explaining about VPN configuration between "FortiGate" and "Check Point".


The article has steps to configure site to site VPN, you can use the custom option.




Esteemed Contributor III

On the FGT side, most best practices mentioned also apply:

- create address objects for the networks to be proteced, and those on the CP

to be used here:

- in the phase2

- in static route

- in the policy

This way, you only have to edit one central object to change the network definition, or add more networks.


Be careful when you need to tunnel multiple networks. Some firewalls allow the use of an address group in phase2, like the FGT. Some will only allow one phase2 definition for each network, like a Cisco ASA. Check that with CP.


Also, check if you can use IKEv2, or IKEv1 only. You need to know in advance.

All other IKE and IPsec parameters are pretty common, just make sure they match. On the FGT side, I would not offer a zillion proposals, just the one I know will be supported and be safe enough for my purposes.


The only parameter which might be difficult to implement is DPD. There are vendors who do not support this, or in a different fashion.


All 3 configs mentioned above are needed before an IPsec tunnel will come up in FortiOS. Specifically, no policy - no tunnel.


And, lastly, the one Best Practice for VPNs above all: install blackhole routes for all private networks! I've been posting this several times on this forum with explanations, you might find it useful.


"Kernel panic: Aiee, killing interrupt handler!"
Esteemed Contributor III

Ah, here it is:


I even supplied a batch file for that.


"Kernel panic: Aiee, killing interrupt handler!"
Valued Contributor

Great illustrations and explanation. For those who know both FGT and CP, the most important catch in configuring IPSec is that Checkpoint will not accept as encryption domain from the Fortigate in its usual domain-based VPN set up. Either use specific selector(s) on Fortigate that will match what Checkpoint expects, or use route-based VPN on CP (with VTI and routes). 


Yuri blog: All things Fortinet, no ads.

All opinions are mine only.