Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Checkpoint VPN as responder only

Hello All,

 

I am in the midst of troubleshooting a VPN between Checkpoint (R80.10) and Paloalto firewall. This site to site tunnel is configured to use certificate for authentication.

During the course of our troubleshooting there was a unknown bug identified in Palo alto firewall due to which it has to initiator of the tunnel till the time a fix is available. Issue pops up whenever Checkpoint becomes the initiator instead and Palo alto firewall stops responding.

 

Now coming to the requirement, is there a way I can force Checkpoint to always be just the responder in a VPN tunnel? I am not talking about DPD responder, but at the level of negotiation. Basically at any point of time, I do not want Checkpoint initiate a request to bring up the VPN either due to inactivity or idle timeout.

4 Replies
Highlighted

Apologies I did not realize that I was under Threat prevention forum. I did not find a way to move it to the right section either

Highlighted
Admin
Admin

Don't worry, I can fix moving it to the right place. 😁

As for the question you asked, unless you've got a permanent tunnel configured, what determines whether or not the VPN connection is initiated is the initiation of traffic.
If you want to ensure the Palo side is initiating the VPN, something on that side of the connection should be generating regular traffic (e.g. ping) through the VPN.
Highlighted

Thanks for the fix :).

Ping was definitely an option suggested to client. Problem is there are chances that servers behind Checkpoint can attempt to initiate traffic as part of an application automation.

The only goal i was trying to look for is if Checkpoint would never attempt to become an initiator regardless of where the traffic comes from. For e.g. Palo Alto within VPN configuration has an option called passive mode, which basically forces it not to become the initiator during a negotiation phase.

 

Highlighted

Hello,

As long as you don't initiate traffic from your side and the permanent tunnel option is not set the VPN tunnel shouldn't come up by it's own. By defect if there is no activity the tunnel will shut down.

 

____________
https://www.linkedin.com/in/federicomeiners/