topic Re: MEP configuration hints for failover P2P VPN to non-Check Point Gateway. in Firewall and Security Management

MEP configuration hints for failover P2P VPN to non-Check Point Gateway.

Perry_McGrew — Tue, 08 Apr 2025 11:43:11 GMT

@PhoneBoy pointed me to MEP. So, I have started reading the documentation. Wanted to ask if anyone has set this up and can provide hints or issues encountered.

All our Check Point devices are R82 JHF12.

We have several small satellite sites that use CP 3200's that currently have P2P VPN connections to our 5800 in the Corporate Datacenter (Hub & Spoke). The satellite sites use public Spectrum / FiOS connections, and each site has Static public IP. No routing protocols are run on these CP 3200s. All CP GWs are centrally managed from our virtualized CP Mgt server in the Corp datacenter.

We are setting up a DRaaS site with our service provider. The Service Provider uses Fortinet FW (presume its virtual appliance and don't know much else about it yet).

So, the scenario is if the Corp Datacenter is "down", these CP 3200 satellite sites need to failover their P2P VPN connection to the DRaaS / Fortinet Firewall until the Corp Datacenter is back online and then fail back.

Side note I need to study is since the CP Mgt server is in our Corp Datacenter -- which will be unavailable during a Disaster -- is if this would pose a problem with these CP 3200s? Also, we do NOT use any CP end-user VPN clients -- we transitioned to Cloudflare's Zerotrust for secure device access from PCs not on any corporate networks.

TIA

Re: MEP configuration hints for failover P2P VPN to non-Check Point Gateway.

PhoneBoy — Tue, 08 Apr 2025 17:46:02 GMT

Where the management being down is an issue is validating the CRL as part of the VPN (assuming you're using ICA certificates).
There may be other issues, but that's one that came to mind.

Re: MEP configuration hints for failover P2P VPN to non-Check Point Gateway.

Perry_McGrew — Mon, 23 Jun 2025 15:18:58 GMT

Slogging thru the setup. Defined the Fortigate as interoperable device.... added it as center GW to each remote Site VPN Community, Set the manual MEP Priority list (Datacenter 1st Priority, Fortigate as 2nd Priority).

2 things still not clear.

- No VPN Domain defined on the Fortigate as the current VPN domain defined behind the Datacenter 5800 would be up behind the Fortigate in the event that Datacenter was down.

- Phase 1 / Phase 2 definitions on the satellite 3200s. Can the IKE SAs be different to the 2 center GWs? I'd like to use SHA256 for the Data Integrity to the Fortigate vs the legacy SHA1 defined to the corporate Datacenter. I have looked at the "Override Encryption Settings for Externally Managed Gateways" It allows me to set the Fortigate Phase 1 to AES-256 / SHA256. For Phase 2, I can set it to AES-GCM-256 but it will not allow me to choose Phase 2 Data Integrity (greyed out showing SHA384). PFS is NOT used anywhere,