Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Dannу
Contributor

Best Practice: How to setup a VPN between FortiGate & Check Point

Hello Fortinet Community,

Q: In your best practice, what are the steps to set up a FortiGate Check Point VPN?

16 REPLIES 16
kvimaladevi
Staff
Staff

Hi Danny,

 

I hope you are referring to a site to site vpn configuration between Fortigate and Checkpoint. Once you have the phase 1 and phase 2 parameter information from both the peers, you can follow the below link to set up VPN from Fortigate end

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-configure-VPN-Site-to-Site-between/...

With regards to the configuration on Checkpoint, you might have to get the steps from them.

 

Regards,

Vimala

Dannу

@kvimaladevi : Your link points to an oudated article that neither mentions Check Point nor any Best Practices regarding a VPN setup between FortiGate and Check Point.

kvimaladevi

Hi Danny,

 

There is no specific document explaining about VPN configuration between "FortiGate" and "Check Point".

 

The article has steps to configure site to site VPN, you can use the custom option.

 

Regards,

Vimala 

ede_pfau
Esteemed Contributor III

On the FGT side, most best practices mentioned also apply:

- create address objects for the networks to be proteced, and those on the CP

to be used here:

- in the phase2

- in static route

- in the policy

This way, you only have to edit one central object to change the network definition, or add more networks.

 

Be careful when you need to tunnel multiple networks. Some firewalls allow the use of an address group in phase2, like the FGT. Some will only allow one phase2 definition for each network, like a Cisco ASA. Check that with CP.

 

Also, check if you can use IKEv2, or IKEv1 only. You need to know in advance.

All other IKE and IPsec parameters are pretty common, just make sure they match. On the FGT side, I would not offer a zillion proposals, just the one I know will be supported and be safe enough for my purposes.

 

The only parameter which might be difficult to implement is DPD. There are vendors who do not support this, or in a different fashion.

 

All 3 configs mentioned above are needed before an IPsec tunnel will come up in FortiOS. Specifically, no policy - no tunnel.

 

And, lastly, the one Best Practice for VPNs above all: install blackhole routes for all private networks! I've been posting this several times on this forum with explanations, you might find it useful.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
ede_pfau
Esteemed Contributor III

Ah, here it is:

https://community.fortinet.com/t5/Support-Forum/Re-evaluate-sessions/m-p/7866?m=120834#120872

 

I even supplied a batch file for that.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Yurisk
Valued Contributor

Great illustrations and explanation. For those who know both FGT and CP, the most important catch in configuring IPSec is that Checkpoint will not accept 0.0.0.0/0 as encryption domain from the Fortigate in its usual domain-based VPN set up. Either use specific selector(s) on Fortigate that will match what Checkpoint expects, or use route-based VPN on CP (with VTI and routes). 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
FaridulAlam
New Contributor II

Thanks Danny, it helped me to established First S2S VPN with FortiGate and CP.

Appreciated.

Regards, Faridul
Regards, Faridul
Top Kudoed Authors