This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
shauls
Participant
3 weeks ago
Jump to solution

IPSec VPN between CheckPoint and Prisma Access

Hey guys,

I was asked to make a test in which I will route all internet traffic from specific subnet (for example 10.10.10.0/24) to Prisma Access.

I configured the necessary part in Prisma Access Remote Networks IPSec VPN, but what are my options in order to this in checkpoint?

I was thinking to make a VPN community in which the VPN Domain will be 0.0.0.0/0, with excluding RFC1918 addresses and CGNAT address.

Is it even possible? Are there other options?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
2 weeks ago
In response to shauls
Jump to solution

Does not really matter, as long as its not used on their end.

Andy

View solution in original post

10 Replies
shauls
Participant
3 weeks ago
Jump to solution

I am thinking that maybe Route Based VPN with PBR will be more appropriate solution, but I am not sure how to implement it. 

In VTI configuration, what do I configure as remote peer ip address and local ip address? I only have Prisma Access Public IP.

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to shauls
Jump to solution

See if below post I made about a year ago helps. I know its Azure, but would be very similar. I know Prisma is Palo Alto, if Im not mistaken. I only seen it once myself, apologies, but not familiar with it at all. But, to answer your question about route based, yes, you can follow documents I have in the link, hope it makes sense.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

shauls
Participant
3 weeks ago
In response to the_rock
Jump to solution

I understand that I could just "gibberish" the VTI numbered addresses, is this correct? 

0 Kudos
the_rock
Legend
Legend
3 weeks ago
In response to shauls
Jump to solution

Thats right. See below from another post while back example I gave. Message me directly if you need further explanation.

Andy

 

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

the_rock
Legend
Legend
2 weeks ago
In response to shauls
Jump to solution

Hey @shauls , were you able to figure this out?

Andy

0 Kudos
shauls
Participant
2 weeks ago
In response to the_rock
Jump to solution

I am still not sure about the "Numbered Remote Address" field. I understand that I could come up with any unique IP address for the numbered local address, but what about the remote address? I don't have such address provided to me by Prisma, unlike the AWS example. 

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to shauls
Jump to solution

Does not really matter, as long as its not used on their end.

Andy

shauls
Participant
a week ago
In response to the_rock
Jump to solution

IT IS working. I used your text guide along with the AWS guide. I also configured PBR instead of static route.

There is only one thing that is very strange.. in Tunnel Monitoring I see the the tunnel is down, but on the Prisma side it is up and everything is working as expected.

shauls
Participant
a week ago
In response to shauls
Jump to solution

Never mind, I see that I configured the "permanent tunnels" option but it should only work between checkpoint gateways. I disabled it and now I see that the tunnel is up. Thanks for the help!

0 Kudos
the_rock
Legend
Legend
a week ago
In response to shauls
Jump to solution

I always more rely on vpn tu or vpn tu tlist.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events