Repeat this step two more times for ports 81-442 and 444-65534 and provide unique meaningful names.Īny other protocols that should be excluded from the community can be created in the same way or existing service objects can be used when it comes time to define the exclusions.Ĭreate a Group for these protocol exclusions by right clicking on the Group service object and selecting New Group.Īdd the created TCP services that were just created. Provide a meaningful name and enter 1-79 for the Port as shown in the graphic below:Ĭlick OK to save the changes. In the SmartDashboard go to the Sevices tab in the left window pane and then right click on TCP and select New TCP. Service objects will be created that are needed to exclude all protocols from the community except for port 80 and 443. In this example a Mesh Community will be used.
![check point vpn explained check point vpn explained](https://www.manageengine.com/products/firewall/images/screenshots/checkpoint-networkband.png)
The community can be created as a Star or Mesh. Manually define the VPN domain using the internal subnet object that exists or was created previously:Ĭlick OK to save changes and return to the SmartDashboard. On the General properties screen confirm IPSEC VPN is checked in the Network Security tab:Ĭlick on Topology from the menu in the left window pane. In the window pane on the left of the SmartDashboard navigate to Network Objects -> Check Point -> and double click to edit the object.
CHECK POINT VPN EXPLAINED MANUAL
The Seattle data center will be used in this example:Ĭlick on Topology and select the Simple Group that was previously created for the manual VPN definition as shown in the graphic below:Ĭlick OK to save changes and return to the Network Objects window.Ĭlick close on the Network Objects window to return to the SmartDashboard. The IP addresses of the data centers can be found in the online documentation, Provide a meaningful anme and enter an IP address of the Blue Coat Secure Web Cloud data center. Provide a meaningful name and defing the internal subnet as shown in the graphic below:Ĭlick OK to save and return to the Network Objects window Create an interoperable device
![check point vpn explained check point vpn explained](https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/34348.gif)
If a network object is not yet created that defines the internal subnet then create it now. Create Network object defining the internal subnet Provide a meaningful name and select the range created previously, as shown in the graphic below:Ĭlick OK to save and return to the Network Objects window. In ths SmartDashboard and from the menu bar select Manage -> Network Objects Create Address range of the internetĬlick New -> Address Ranges -> Address Range.Įnter a meaningful name and provide teh first and last IP as shown in the graphic below:Ĭlick OK to save and return to the Network Objects window.
![check point vpn explained check point vpn explained](https://sc1.checkpoint.com/documents/R76/CP_R76_VPN_AdminGuide/34364.gif)
CHECK POINT VPN EXPLAINED UPDATE
UPDATE - Check Point have released a hot fix that supports DPD. Although 120 seconds is aggresive it will quickly recover if a pod it was connected to was taken down for any reason. The reason for this is that the Blue Coat Cloud Security Service supports Dead Peer Detection (DPD) and Check Point firewalls use a different protocol/mechanism to detect a peer is down. If a data pod is taken down for maintenance that a Check Point firewall is connected to it will not detect the pod is unavailable and will believe the tunnel is still established until it renegotiates Phase 2. The Phase 2 timeout should be set to 120 seconds. This information is not shown in the pictures below. This configuration example was taken from a Check Point UTM-1 running SecurePlatform R75.