Create a Post
Showing results for 
Search instead for 
Did you mean: 

Feasible Option to send specific traffic to Zscaler- From Checkpoint Gateway

Dear Team,

First question

As i checked in Zscaler Official Website they have given list which is supported Firewall device for IPSEC Tunnel so checkpoint Device not in list ,(So my first question is why checkpoint is not supportable device to build tunnel with Zscaler ) (For GRE I know that checkpoint is not supported this feature)


Secondly ,


My requirement is matching which given diagram which is not exact customer digram but its scenario found from zscaler , So, In My Client environment


GRE Tunnels from the Border Router to the ZENs

Second Diagram JPG


ISP ---> ROuter --->IPS (IN L2 Mode)-->SwitchL2-->Checkpoint Device ----> LAN SWICH AND OTHER USERS


In this requirement If Zscaler is making GRE WIth CISCO ROuter RIght so how can i pass traffic to GRE Tunnel Without NAT , Becuase From Router to CP WAN PUblic LAN Pool we are using .and presently i have configured Hide nat to forward traffic of private pool towards Internet (By router)

(Zscaler need to give reporting with Original LAN IP so they want without nat traffic)


So, i dont know if i will disable NAT so traffic will go to router side or not , and If it s done then as per standard i am doing right thing or not can you please suggest me , because outside firewall if we are publishing our local LAN it will be security bridge right .


SO What will be feasible suggestion.


Another option we are thinking is (First option which i mentioned that IPSEC Tunnel between CP to Zscaler) But in this case we need to forward only 80 and 443 port traffic so is not possible becuase as i know PBR is not supported with service based traffic forwarding


Our device in R80.10 and latest one so there is no limitation with update.




Harmesh Yadav
0 Kudos
7 Replies

If you don't NAT the GRE tunnel and it's originating from a private IP, how exactly do you expect the GRE tunnel to be established, exactly?
The traffic inside the GRE tunnel won't be NATted here.

Unless I'm misunderstanding the environment.
In which case, an annotated network diagram of the actual environment would be helpful.
0 Kudos

Can you get your ISP to route a /30 from your external range to the FW?
If so you can use that between gateway and router and use this external IP to setup the GRE tunnel.
Regards, Maarten
0 Kudos

I use a VPN tunnel for many customers for ZScaler proxy:

1) Add an VPN tunnel to ZScaler and add all internet addresses (,255,255 and exclude privat networks)
2) Exclude your private and other used networks via crypt.def and no vpn traffic rules.



HeikoAnkenbrand, what kinds of device(s) are you terminating the VPN tunnel on and how is performance?   We have tested on 1100, 1400 and 4200 with 77.20, 77.30 and 80.20 with poor performance.

0 Kudos

Do you have a more detailed procedure? I'm trying to setup a similar VPN between Checkpoint and Zscaler in order to forward 80/443 to them.
0 Kudos

Hi HeikoAnkenbrand,

Can you help to explain in more details how to successfully create the tunnel to zscaler proxy?

Here's the environment for your reference.

Example of current configuration

CheckPoint 4800 with existing 3 tunnels to AWS and azure

CheckPoint firewall VPN domain ( ,,


before migrating few server subnet to zscaler proxy via ipsec tunnel, we want to test using one IP address only. (

what is the step to create the vpn community( mostly the vpn domain for checkpoint fw since we already have vpn domain defined), interoperable device, etc


thanks in advance

0 Kudos