This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
arvindteemul1
Collaborator
‎2025-04-28 09:24 PM

VPN Configuration between Check Point and FortiGate

Hi Mates,

A VPN has been configured between a Check Point R81 and Fortinet version 7.6 firewalls. After the initial VPN configuration, traffic is successfully traversing the two firewalls. If there is no traffic continually traversing the VPN for more than an hour, then the VPN appears to be broken and does not allow any traffic outbound from Check Point, unless the VPN reconfiguration is carried out on the Check Point firewall, however inbound traffic to the Check Point firewall is working fine.

Any suggestions to fix this?

0 Kudos
10 Replies
Gaurav_Pandya
MVP
MVP
‎2025-04-29 03:55 AM

Enable permanent tunnel option with specific community and test.

Permanent tunnel.PNG

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-04-29 04:18 AM
In response to Gaurav_Pandya

@arvindteemul1 

The Permanent Tunnels feature will send a UPD 18234 packet (tunnel testing) which is proprietary, so the FN gateway will not understand it. It may work just because of the traffic flow in the tunnel.

What do the logs say?


https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SitetoSiteVPN_AdminGuide/Con...

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-04-29 04:29 AM

Ah, fortiOS 7.6.x, lots of new features, but still feature release, so I would stick with 7.4, which is latest mature code : - )

Anywho...make sure on Fortigate, setting auto keep alive is enabled and on CP exactly what the guys mentioned.

Andy

 

Best,
Andy
"Have a great day and if its not, change it"
Preview file
80 KB
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-04-29 04:57 AM

Sounds like VPN timers are not the same on both sides. Would check p1 and p2 on both side and make sure they match. 

Are you sure you run R81? and not R81.10 or R81.20? If so upgrade due EOL status 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-04-29 05:03 AM

https://support.checkpoint.com/results/sk/sk108600

the_rock
MVP Diamond
MVP Diamond
‎2025-04-29 05:07 AM
In response to Don_Paterson

Always great sk to refer to, Don.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-04-29 06:25 AM

On hour is default phase2 re-key timer (as @Lesley noted.  Be sure your implied rules enable VPN control connections and that you aren't trying to control IKE, IPsec, and (if applicable) NAT-T connections in your security policy.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
arvindteemul1
Collaborator
‎2025-04-29 07:33 AM
In response to Duane_Toler

thanks to all for your input...awaiting access to the firewall to check on the suggested items...will keep you posted!

On another note, while I'm cross referencing another firewall, I came across a typo in the Implied Policy section of R81.20, see attached:

 

 

 

Implied Policy.docx
the_rock
MVP Diamond
MVP Diamond
‎2025-04-29 07:35 AM
In response to arvindteemul1

Personally, I would never change those without checking with TAC first.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-04-29 07:56 AM
In response to arvindteemul1

You have Remote Access control connections disabled.  This needs to be enabled for all of IPsec to function.  You also have Accept ICMP Requests enabled, which is not the default (and you almost certainly do not want this).  Someone has modified these implied rules in the past.  You should review the defaults again and re-align these..  Here's a screenshot from sk179346.

 

https://sc1.checkpoint.com/sc/SolutionsStatics/sk179346/implied%20rules202205261210461.png

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events