Create a Post
Showing results for 
Search instead for 
Did you mean: 

Centrally managed HA pair over a VPN

we are running r77.30 (cant find a group for that)  

we have a centrally managed  pair of firewalls, and looking to deploy another pair of centrally managed checkpoints, but they will be connected back to the central manager via a vpn through the existing checkpoint pair, and will connect via the public ip of the remote pair

we are able to get them sic, but once we start add rules we lose connectivity

is there a guide to do this setup

see basic picture,

4 Replies

The issue is that your management is behind the VPN domain. When you establish the SIC you establish it with the Public IP address of the management. When the site to site VPN is established your pair of FWs is expecting the public IP address of the management but he is getting the private IP address of the management (if your management is with a private IP address behind the FW). If your management is with a Public IP address then you can exclude these address from your VPN domain.

0 Kudos

Managing remote firewalls through a VPN connection is not a good idea. Keep in mind that all control connections between management and gateway are already encrypted and passing through a VPN only serves to create headaches. In the event the VPN tunnel goes down and changes need to be made to the remote cluster to bring it back up, how will we reach the remote gateways? You may be in a scenario where someone must be onsite to reset SIC via a console connection vs. just making a change in SmartDashboard. If you wanted to get something like that to work I believe you need to modify the implied rules and make sure the Check Point services are included in the VPN tunnel, but my 2 cents are you are asking for trouble.

0 Kudos

I've brought-up this subject before as have others. Please check this thread to see if this answers your question or, at least, points you in the right direction: 


I am using Control connection over management static NAT with diffrent public IP from IP range.

Just enable Static NAT with checked to Allow Control Connection.

Its working fine with me for control connection, logs etc.

0 Kudos