This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GSecurity
Participant
‎2024-09-19 10:23 AM

VPN SITE TO SITE

Good morning, dear friends,

I am deploying the checkpoint spark equipment in 5 remote locations, managed from smart cloud, which I will link to the client's main location through a site-to-site tunnel, at the end of the main location the firewall is a fortigate. The requirement of this tunnel is that each remote location has communication only and exclusively to the central location, in this case would I use a meshed or start community?

Another question I have is at the end of the remote locations where the spark checkpoint gateways will be, the internet router provides a netted IP (192.168.1.0/24), the WAN interface of the Gateway has an IP of this segment; at the end of the main location the Foritgate does have public IPs in its WAN interface. In this case, with other firewalls I would have to configure a Peer ID at each end but in checkpoint I do not identify how to configure this Peer ID.

Best regards

0 Kudos
9 Replies
the_rock
MVP Diamond
MVP Diamond
‎2024-09-19 11:13 AM

I think simple net diagram would help us here. Question 1 ) Yes, sounds like star community is fine, since you can use central location as central gw and other ones as sateelites

Question 2) I never ever heard of peer ID on CP side, so not sure if that setting even exists. Though, it might be somehwere in smb gui page, cant confirm, as I literally ever work on those devices, but in regular Gaia, I had never seen it, unless you use VTIs, but even in such case, it ONLY asks to enter peer name, which is essentially name of interoperable object you configure representing other side

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-19 11:22 AM

This is what I was referring to.

Andy

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
GSecurity
Participant
‎2024-09-19 12:13 PM
In response to the_rock

Hi, thanks for your reply,

I don't know where to add this, please help me

Regards

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-19 12:17 PM
In response to GSecurity

Just working on some Fortinet stuff, will spin up quick demo smb lab and see if option is there. Otherwise, we can do remote tomorrow if you are allowed to, let me know.

Btw, that option I pasted is on regular Gaia, plus, may not apply to you, as its mostly used for ROUTE based vpn tunnels, not domain based ones.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-19 12:29 PM
In response to GSecurity

@GSecurity 

While Im waiting for customer/Fortinet guy to finish what they need to finish, I spun up the lab in the meantime and this is what Im referencing from the screenshot. BUT, again, if you are going to build domain based vpn, none of this is relevant. Howveer, if it will be route based (which I always recommend to people now days), then it matters. Anyway, message me directly tomorrow if you can do remote and happy to go through it together.

Andy

 

See my post abour route based tunnels.

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

 

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
GSecurity
Participant
‎2024-09-19 01:07 PM
In response to the_rock

Hi, I wrote to you directly. Thanks 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-19 01:08 PM
In response to GSecurity

Responded...just send me your email, lets connect offline, easier.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-20 06:48 PM
In response to GSecurity

Hey Gerardo,

Thanks for your time on the remote today and apologies for my abysmal Spanish :(. Anyway, we agreed you would configure route-based VPN tunnel and test it out. If any issues mate, just text me or email and we can do another zoom meeting.

Best,

Andy

And here is Spanish translation 🙂

***********************************

Gracias por tu tiempo en el control remoto hoy y disculpas por mi pésimo español :(. De todos modos, acordamos que configurarías un túnel VPN basado en rutas y lo probarías. Si tienes algún problema, amigo, envíame un mensaje de texto o un correo electrónico y podemos hacer otro zoom. reunión.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2024-09-20 07:10 AM

Hey bro,

I waited 10 mins in zoom, but no one showed up, so I closed it. Im good for another 30 mins.

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 16 Jun 2026 @ 09:30 AM (BST)

    DDOS MasterClass in London!
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events