This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Perry_McGrew
Collaborator
‎2025-04-08 04:43 AM

MEP configuration hints for failover P2P VPN to non-Check Point Gateway.

@PhoneBoy pointed me to MEP.  So, I have started reading the documentation.  Wanted to ask if anyone has set this up and can provide hints or issues encountered.

All our Check Point devices are R82 JHF12.

We have several small satellite sites that use CP 3200's that currently have P2P VPN connections to our 5800 in the Corporate Datacenter (Hub & Spoke).  The satellite sites use public Spectrum / FiOS connections, and each site has Static public IP.  No routing protocols are run on these CP 3200s.  All CP GWs are centrally managed from our virtualized CP Mgt server in the Corp datacenter.

We are setting up a DRaaS site with our service provider.   The Service Provider uses Fortinet FW (presume its virtual appliance and don't know much else about it yet).

So, the scenario is if the Corp Datacenter is "down", these CP 3200 satellite sites need to failover their P2P VPN connection to the DRaaS / Fortinet Firewall until the Corp Datacenter is back online and then fail back. 

Side note I need to study is since the CP Mgt server is in our Corp Datacenter -- which will be unavailable during a Disaster -- is if this would pose a problem with these CP 3200s?  Also, we do NOT use any CP end-user VPN clients -- we transitioned to Cloudflare's Zerotrust for secure device access from PCs not on any corporate networks.  

TIA 

Labels
0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2025-04-08 10:46 AM

Where the management being down is an issue is validating the CRL as part of the VPN (assuming you're using ICA certificates).
There may be other issues, but that's one that came to mind.

0 Kudos
Perry_McGrew
Collaborator
‎2025-06-23 08:18 AM
In response to PhoneBoy

Slogging thru the setup.   Defined the Fortigate as interoperable device.... added it as center GW to each remote Site VPN Community,  Set the manual MEP Priority list (Datacenter 1st Priority, Fortigate as 2nd Priority).

2 things still not clear.  

- No VPN Domain defined on the Fortigate as the current VPN domain defined behind the Datacenter 5800 would be up behind the Fortigate in the event that Datacenter was down. 

- Phase 1 / Phase 2 definitions on the satellite 3200s.  Can the IKE SAs be different to the 2 center GWs?   I'd like to use SHA256 for the Data Integrity to the Fortigate vs the legacy SHA1 defined to the corporate Datacenter.   I have looked at the "Override Encryption Settings for Externally Managed Gateways"   It allows me to set the Fortigate Phase 1 to AES-256 / SHA256.  For Phase 2, I can set it to AES-GCM-256 but it will not allow me to choose Phase 2 Data Integrity (greyed out showing SHA384).  PFS is NOT used anywhere,  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events