This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
net-harry
Collaborator
‎2019-12-17 02:27 AM

VPN between Check Point and Palo Alto - Configure passive mode

Hi,

We have an issue with a VPN tunnel to a Palo Alto firewall. The IPSec renegotiaion is sometimes initated by both peers at the same time, causing the tunnel to be down for one hour until the next renegotition.

In order to solve this we would like to set one peer in passive mode, so the other side always initiate the renegotiaion. Is this possibe to do on the Check Point VPN gateway?

We are running R77.30 on this gateway cluster.

Thanks for your help!

Harry

0 Kudos
7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-12-17 02:49 AM

R77.30 is out of support since September...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
net-harry
Collaborator
‎2019-12-17 03:07 AM
In response to G_W_Albrecht

I am aware that it is out-of-support and we plan to upgrade the gateways to R80.20 soon. I would still like to know if it is possible to configure the security gateway as passive (either in R77.30 or R80.20).
Thanks for your help!
0 Kudos
_Val_
Admin
Admin
‎2019-12-17 03:38 AM
In response to net-harry

@net-harry Check Point VPN GW will try to open a tunnel whenever some traffic is being sent to the remote VPN domain.

 

Also, it is unclear to me why simultaneous negotiations should fail if both VPN peers are trying to do IKE. One of the IKE SAs should be complete and work anyway.  I would recommend looking into some mis-config on PAN side. There must be something wrong there, this is not a normal IPsec behaviour.

0 Kudos
net-harry
Collaborator
‎2019-12-17 04:29 AM
In response to _Val_

Thanks for the information! I agree that it looks like a bug on the Palo Alto side and their engineers are troubleshooting this. On Palo Alto they are able to configure passive, so I just wanted to check if this was possible on the Check Point side to. I noticed that a similar question was posted in the following thread:

https://community.checkpoint.com/t5/Access-Control-Products/Checkpoint-VPN-as-responder-only/m-p/643...

0 Kudos
_Val_
Admin
Admin
‎2019-12-17 04:38 AM
In response to net-harry

If you set PAN for passive, there is still a chance that traffic might be originated from the remote VPN site. To tackle this, set Check Point VPN GW with a permanent tunnel. This way, it will keep tunnel up, actively requesting IKE when there is no SA or the last one expired.

0 Kudos
net-harry
Collaborator
‎2019-12-17 06:05 AM
In response to _Val_

Thanks for the suggestions!

0 Kudos
_Val_
Admin
Admin
‎2019-12-17 03:36 AM
In response to G_W_Albrecht

@G_W_Albrecht, one can extend R77.30 support with additional premium on top of the support contract, if required. Also, there are other special cases where R77.30 support might be pro-longed. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events