This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mitesh
Participant
‎2025-10-09 03:28 AM
Jump to solution

IPSec VPN Tunnel

Hi,

We recently migrated IPSec Tunnel from CP 9100 to CP 3800 appliance.

Post migration we are unable to see th tunnel traffic logs on CP 3800.

Required blades is enable on CP3800 gateway.

What we are missing here ?

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2025-10-17 04:13 AM
In response to Mitesh
Jump to solution

Ok...do you see any drops on CP side? What about PAN?

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
12 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-10-09 05:31 AM
Jump to solution

Are you seeing any logs for the 3800 or is it logging locally?

Use "cpstat fw -f log_connection" to check...

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-12 11:10 AM
Jump to solution

You cant see just vpn logs or any logs? Sorry, its not entirely clear from your description.

Best,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-15 01:41 AM
Jump to solution

Hey @Mitesh 

Were you able to fix this mate?

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mitesh
Participant
‎2025-10-17 04:08 AM
In response to the_rock
Jump to solution

@the_rock unable to resolve the issue.

Let me explain the secnario once again, also attaching network diagram.

We are having 2 tier firewall architecture, Checkpoint we are using for Perimeter & Palo Alto for internel (core), server farm is behind the Palo Alto Firewall.

IPSec Tunnel is configured on Checkpoint, Tunnel is up, traffic from remote network is reaching to checkpoint, but we are unable to see the traffic on Palo Alto Firewall.

I suspect may be routing or NAT issue.

Preview file
32 KB
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-17 04:13 AM
In response to Mitesh
Jump to solution

Ok...do you see any drops on CP side? What about PAN?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mitesh
Participant
‎2025-10-17 04:15 AM
In response to the_rock
Jump to solution

Palo Alto sidw we are not seeing any packet.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-17 04:19 AM
In response to Mitesh
Jump to solution

Then for sure sounds its issue on their end, not CP.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-17 04:17 AM
In response to Mitesh
Jump to solution

On CP fw, do this from expert -> fw ctl zdebug + drop | grep x.x.x.x

Just replace with right IPon other side. Its been forever since I worked with PAN, so not sure if they have similar command, but you can check the logs.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mitesh
Participant
‎2025-10-17 04:30 AM
In response to the_rock
Jump to solution

How we can verify trafiic is reaching to Palo Alto Interface via Checkpoint ?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-10-17 04:40 AM
In response to Mitesh
Jump to solution

Just do tcpdump or fw monitor. You can refer to below site my colleague made while back.

https://tcpdump101.com

 

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Mitesh
Participant
‎2025-10-21 11:32 PM
In response to the_rock
Jump to solution

@the_rock issue got resolved.

It was routing issue from Palo Alto side.

the_rock
MVP Diamond
MVP Diamond
‎2025-10-22 04:16 AM
In response to Mitesh
Jump to solution

Excellent, thanks for letting us know.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events