The New Quantum DDoS Protector
Integration with Playblocks
Keep Your Networking Peers Happy
With Secure SD-WAN
Infinity Events Improvements
Help us with the Short-Term Roadmap
Secure the GenAI Revolution!
The All-New GenAI Security from Check Point
CheckMates Toolbox Contest 2024
Make Your Submission for a Chance to WIN up to $300 Gift Card!
CheckMates Go:
Harmony Endpoint -- What's New and Deployment
When you say "ID" do you mean Proxy-ID (subnets/domains) or IKE Peer ID?
By default Palo Alto uses route-based VPNs and will propose a universal tunnel (0.0.0.0/0, 0.0.0.0/0 - one tunnel per gateway pair) in IKE Phase 2, although they can be configured to mimic a domain-based VPNs and propose specific subnets similar to "pair of subnets" on the Check Point side. Whether you are using an unnumbered or numbered VTI doesn't affect the Proxy-ID negotiation, at least to my knowledge.
Using IKEv1 I presume? IKEv2 has had some rather nasty interoperability issues, the most prominent of which was tunnel narrowing.
Another line of inquiry would be if the tunnel being initiated in one direction or another is affecting the stability. So for example if the Palo initiates the tunnel it is stable, but when the Check Point initiates the tunnel it is not.
Also check the obvious things like making sure the Phase 1 & Phase 2 timers match, the Palo is not configured for a data lifesize, idle timer, or anything else that could bring down the tunnel prematurely which can affect stability.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY
