I am in the midst of troubleshooting a VPN between Checkpoint (R80.10) and Paloalto firewall. This site to site tunnel is configured to use certificate for authentication.
During the course of our troubleshooting there was a unknown bug identified in Palo alto firewall due to which it has to initiator of the tunnel till the time a fix is available. Issue pops up whenever Checkpoint becomes the initiator instead and Palo alto firewall stops responding.
Now coming to the requirement, is there a way I can force Checkpoint to always be just the responder in a VPN tunnel? I am not talking about DPD responder, but at the level of negotiation. Basically at any point of time, I do not want Checkpoint initiate a request to bring up the VPN either due to inactivity or idle timeout.