topic Re: VPN Mesh Tunnel Question on On-Premise Smart-1 server/Quantum Spark 1600 Firewalls in Spark Firewall (SMB)

VPN Mesh Tunnel Question on On-Premise Smart-1 server/Quantum Spark 1600 Firewalls

rdiaz — Mon, 08 Dec 2025 22:39:02 GMT

Greetings CheckMates,

I'm still fairly new to Check Point and trying to understand how the VPN Tunnels work the Quantum Spark world of firewalls.

I had an incident today where my internet connection went down (this is where my Smart-1 Server lives/on-premise with 2-HA Pair of 1600s firewall). I noticed that none of my mesh connections worked during the outage (between other sites since I have about 7 of them). Is the Smart-1 keeping those connections alive and if for any reason the Smart-1 server goes down the mesh goes down with it?

and if this is so, how can I create a mesh network that doesn't rely on the Smart-1 server or do I need to go Cloud with Check Point to avoid this from happening?

Any input is very appreciated. 🙂

Re: VPN Mesh Tunnel Question on On-Premise Smart-1 server/Quantum Spark 1600 Firewalls

PhoneBoy — Thu, 11 Dec 2025 19:45:11 GMT

One management dependency for VPNs is the Internal Certificate Authority.
If the management is down for an extended period of time, this will cause VPNs to fail since they cannot access the CRL...which is located on the management.
This is described here: https://support.checkpoint.com/results/sk/sk100731

You have a couple options here:

Use a third-party CA and certificates (which don't have a dependency on the management, but must be managed manually)
Disable CRL checking, which is not recommended: https://support.checkpoint.com/results/sk/sk21156

Re: VPN Mesh Tunnel Question on On-Premise Smart-1 server/Quantum Spark 1600 Firewalls

rdiaz — Thu, 11 Dec 2025 19:47:31 GMT

understood! thank you for the prompt reply! 🙂