Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Check Point DPD (Dead Peer Detection) - Questions

Jump to solution

Hi all,

I have two questions regarding the Dead Peer Detection between our Check Point Cluster and other existing VPN connections to non-Check Point Gateways.

1. Does enabling DPD (Responder Mode) has any impact on existing VPN connections? Can I enable it "on-the-fly" without having any disconnects to the VPN? I haven't found an answer on that yet.

2. If I change a VPN community with non-Check Point Gateways to "Permanent Tunnels" in order to active DPD with GuiDBedit does this have any impact on existing connections?

 

Thanks in advance for any help

0 Kudos
1 Solution

Accepted Solutions
Highlighted

Yes, there is. You can check with the GuiDBedit tool under Network Objects >> network_objects:

 

DPD.PNG

 

I hope this helps.

View solution in original post

10 Replies
Highlighted
Platinum
quickly though:

Ad.1 - it will re-estab SA/SPI indeed
Ad.2. - it will re-estab the tunnel

ps. any changes to the proxy-id or any crypt.conf params will re-key and re-estab SA/SPI
Jerry
Highlighted
Thanks for the quick reply. That means that we have to announce it so that if there is any issue our partners know about it.
Highlighted
Platinum
it will in 100% impact/affect an existing tunnel(s) so yes, that should be announced and planed for so called "maintenance window" 🙂

cheers
Jerry
Highlighted

Is there any way to check if DPD is enabled?

0 Kudos
Highlighted

Yes, there is. You can check with the GuiDBedit tool under Network Objects >> network_objects:

 

DPD.PNG

 

I hope this helps.

View solution in original post

Highlighted

Thank you

0 Kudos
Highlighted

My pleasure!

0 Kudos
Highlighted
Nickel

Can we achieve VPN redundancy with 3rd party Gateways by enabling DPD(In R80.10 or R80.20) ?

 

0 Kudos
Highlighted
Nickel

Can we enable Dead Peer detection on the third party devices only?  Or do we have to enable it on the checkpoint gateways also? My understanding is if enabled on the checkpoint gateways it affects all other VPNs?

0 Kudos
Highlighted

You can set DPD per remote gateway via the tunnel_keepalive_method variable in GUIDBedit as described in this lengthy thread, you don't have to change this value for your Check Point gateway:

https://community.checkpoint.com/t5/Next-Generation-Firewall/Enable-DPD-on-R80-20/m-p/32605

Starting in R81 tunnel_keepalive_method will be set to DPD by default on all Interoperable Device object types.

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com