This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
RemoteUser
Advisor
‎2026-03-19 06:28 AM

Question about VPN S2S Permanent Tunnel

Hi Mates,
Simple question here:
Is the permanent tunnel feature for a site-to-site VPN is enabled via GuiDBEdit, or am I missing something?


0 Kudos
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2026-03-19 06:29 AM

Hey brother,

No need, just enable it via tunnel management in community settings in smart console.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-03-19 06:36 AM
In response to the_rock

But I remembered that sometimes I saw it done in GuiDBEdit as well. Under what circumstances should this be done?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-19 06:39 AM
In response to RemoteUser

I believe ever since R80.30 or R80.40, its enabled automatically in guidbedit once you set it as permanent tunnel.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-03-19 06:48 AM
In response to the_rock

ok thank you brother, i'll double check also with TAC

the_rock
MVP Diamond
MVP Diamond
‎2026-03-19 06:56 AM
In response to RemoteUser

Sure thing, though Im fairly positive thats the case.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Tal_Paz-Fridman
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-03-19 06:32 AM

And you can obviously also use the relevant Management API commands:

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/add-vpn-community-meshed~v2.1%20

 

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#cli/set-vpn-community-star~v2.1%20 

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-19 08:50 AM

In R81, DPD became the default (i.e. not something you have to enable with guidbedit), as mentioned in Scenario 5 here: https://support.checkpoint.com/results/sk/sk108600 
Not sure if this applies if the management was upgraded from a pre-R81 release or not.

In any case, you still have to enable "Permanent Tunnels" in the relevant VPN community.

0 Kudos
RemoteUser
Advisor
‎2026-03-20 02:26 AM
In response to PhoneBoy

Reading the admin guide here: https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SitetoSiteVPN_AdminGuide/Con...

It appears that a Permanent Tunnel can only be established when both peers in the site-to-site VPN are Check Point gateways.

In cases where the peer is a non–Check Point gateway, it is necessary to enable PDP (Permanent Tunnel via DPD). From what I understand, this configuration seems to require enabling it through GuiDBEdit.

Insight from the guide:

Permanent Tunnels can only be established between Check Point Security Gateways.
Dead Peer Detection (DPD) is a different method to test if VPN tunnels are active. Dead Peer Detection does support third-party Security Gateways and supports permanent tunnels with interoperable devices based on IKEv1/IKEv2 DPD (IKEv1 DPD is based on RFC 3706).

To enable DPD monitoring:

On each VPN gateway in the VPN community, configure the tunnel_keepalive_method property, in Database Tool (GuiDBEdit Tool) or dbedit (see skI3301). This includes third-party gateways. (You cannot configure different monitor mechanisms for the same gateway).

In Database Tool (GuiDBEdit Tool), go to Network Objects > network_objects > <Name of Security Gateways object> > VPN.

For the Value, select a permanent tunnel mode.

Save all the changes.

Install the Access Control Policy.

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-03-20 04:50 AM
In response to RemoteUser

Its true thats what it says, but in reality, it works fine with any other vendor and no need to change anything in guidbedit once you enable permanent tunnel setting.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
RemoteUser
Advisor
‎2026-03-23 09:58 AM
In response to the_rock

Hey, bro,
So why does the administrative guide mention it? I don't get it.

0 Kudos
Gil_Frantsus
Employee
Employee
4 weeks ago
In response to RemoteUser

Hello,

We have updated the Site-to-Site VPN Admin Guide, removed the GuiDBedit instructions and added a note: 

 Starting in R81.20, when you create the interoperable device object for the 3rd Party VPN gateway, DPD is automatically set as the permanent tunnel method.
 

Thank you for your feedback.

RemoteUser
Advisor
3 weeks ago
In response to Gil_Frantsus

Hi @Gil_Frantsus thank you!

0 Kudos
PhoneBoy
Admin
Admin
‎2026-03-23 09:39 AM
In response to RemoteUser

Sounds like an area where the documentation might need to be updated.
Tagging @Sergei_Shir 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events