Much awaited feature comes with 80.40, dint know until this video..thanks alot u rock.. It would have been great if u could show tunnel status but its seems won't be possible on demo. Lot people struggles to find it
Yes, i mean alot has been possible to do with special tweaks but more stuff are alot easier now within GUI so its on the right path :) I will make more vpn videos including some labs where i can show stuff like the monitoring and vpn debug and such.
Hehe, I did leave my suggestion for topic to late so I will not be presenting anything at CPX. I will attend as normal user :) Hopefully it will be in person next time, if they ask I will try to have some presentation :)
Excellent Magnus !!! Your videos have been helping a lot. I need your help on one issue which I’m struggling for months. I need to decrypt the IKE messages but I don’t know in checkpoint how to do. I use to do in palo & cisco. Any help on this pls ?
when i tick "accept all encrypted traffic"..i cannot add the vpn communities in the policy (under the vpn column)..can you please help on that..cannot add means i cannot publish and install the policy
Hi Magnus i able to bring up the tunnel between two checkpoints. I also enabled disabled NAT on VPN community. But how come i can see on the logs a public ip address from other site instead of the VPN domain encryption i defined.
Hello, Magnus. One doubt, by default Checkpoint works with domain-based VPN, right? If I would like to work with route based VPN, yes or yes, I need to create virtual interfaces for this? Thanks for the channel content. Regards
Yes thats correct, sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm OBS: VTI VSX Support was added in R81 Maestro first have support for VTI in R81.10
@@MagnusHolmberg-NetSec Hello, Magnus. Do you plan to develop content for HTTPS INSPECTION? Or do you have any reference SK for this topic, for R80.xx?
Hello Magnus, which Is the difference between numbered and unnumbered vti? I know about proxing vti to physical interface in unumbrred configuration, but Why i should choose numbered or viceversa?
Check this one out :) sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm Am not sure of the diff as VTI has not been supported for VSX before so never used it in production. (Wanted to have it for a long time)
A pure guess (I may be totally wrong) Is that unnumbered VTI saves you IP addresses as it uses the excising interfaces. And the number one requires additional IP. But on the other hand it makes it easier then to have multiple ISP and build the tunnels from an extra ip that is not depending on the link networks to the ISP
Thank you for your quick feedback Magnus. Anyway, I already read the admin guide, but like other admin guides it doesn't never answer to "why" but to "how to". What i supposed about unnumbered is related to software/hardware limitation in such scenarios. For example with some azure setup for me was mandatory to configure a unnumbered, that i proxied to a loopback interface.
@@checkpointerXL ye, check point normally have 10 ways to build stuff and they don’t really recommend any specific setup. But as I said, I haven’t used VTI in production so can give a good answer on why / how. As it’s now supported in VSX in later versions, I guess I need to learn soon enough ;)
Hi Magnus - thanks for the video but I am kind of new to checkpoint and wanted to know if you can recommend or point me in the direction where I can get more training on checkpoint? Any training video or books ?
Hi, maybe you seen the CCSA playlist here on RUclips, that’s a good pick. If not I would recommend Checkmate community where they have checkpoint 4 beginners :)
Hi Magnus ;Have you ever had an incident related to vpn flapping between sites behind sdwan (vmware solution) with dual ISP and other non-sdwan sites with single ISP, the only solution found do a clear SA and redo the push policy in order to vpn become UP. for information probing ISP is configured correctly on checkpoint u suspect NAT issue ? Thanks
Have had a few issue with strange behavior to cloud “fluffy stuff” where we needed to flip to Ikev2 for IPv4, strange stuff like packet drops etc. Also regarding NAT-T
Hi Magnus question as peer IP i just want to confirm do I need to edit my link selection to public ip address instead of the private management to make the VPN S2S works? Currently I have a Public ip address facing the internet configured on my External facing firewall.
I will make a video about it, but not with BGP. The reason for it is that am running the BGP in routers infront of the check point boxes onprem. For the simple reason i work for an ISP and its just easier to have the BGP there as i never having multiple ISP in my setups.
It will not work and you will need to use NAT and put the nat within the vpn domain instead. This is also something you need to think about in regards to routing in general, one ip prefix can only be sent one direction so to say.
Best Checkpoint guide ever thank you magnus.
Much awaited feature comes with 80.40, dint know until this video..thanks alot u rock..
It would have been great if u could show tunnel status but its seems won't be possible on demo.
Lot people struggles to find it
Yes, i mean alot has been possible to do with special tweaks but more stuff are alot easier now within GUI so its on the right path :)
I will make more vpn videos including some labs where i can show stuff like the monitoring and vpn debug and such.
Magnus! Where were you when I needed this a month ago lol?!
Hope to see you around cxp 2022. They should make you a panel speaker!
Hehe,
I did leave my suggestion for topic to late so I will not be presenting anything at CPX.
I will attend as normal user :)
Hopefully it will be in person next time, if they ask I will try to have some presentation :)
Excellent Magnus !!! Your videos have been helping a lot.
I need your help on one issue which I’m struggling for months. I need to decrypt the IKE messages but I don’t know in checkpoint how to do. I use to do in palo & cisco. Any help on this pls ?
very helpful! thanks!
your welcome! :)
when i tick "accept all encrypted traffic"..i cannot add the vpn communities in the policy (under the vpn column)..can you please help on that..cannot add means i cannot publish and install the policy
Starred community is easier to use when some sites use DAIP, the less DAIP vs static ip tunnels you have the better
Hi Magnus, I enjoyed the presentation and the configuration steps, really helpfull. But I expected the Tshoot part to be actual CLI or GUI Tshoot.
Hi, I have not made and configuration or tshoot video for vpn yet :)
So the VPN stuff will be 3-4 videos more
Hi Magnus i able to bring up the tunnel between two checkpoints. I also enabled disabled NAT on VPN community. But how come i can see on the logs a public ip address from other site instead of the VPN domain encryption i defined.
Excellent Magnus
Thanks!
Hello, Magnus.
One doubt, by default Checkpoint works with domain-based VPN, right?
If I would like to work with route based VPN, yes or yes, I need to create virtual interfaces for this?
Thanks for the channel content.
Regards
Yes thats correct,
sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm
OBS:
VTI VSX Support was added in R81
Maestro first have support for VTI in R81.10
@@MagnusHolmberg-NetSec
Hello, Magnus.
Do you plan to develop content for HTTPS INSPECTION?
Or do you have any reference SK for this topic, for R80.xx?
Hi! Nice video, but what do you think about configuration user.def file?
Hello Magnus, which Is the difference between numbered and unnumbered vti? I know about proxing vti to physical interface in unumbrred configuration, but Why i should choose numbered or viceversa?
Check this one out :)
sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm
Am not sure of the diff as VTI has not been supported for VSX before so never used it in production. (Wanted to have it for a long time)
A pure guess (I may be totally wrong)
Is that unnumbered VTI saves you IP addresses as it uses the excising interfaces. And the number one requires additional IP. But on the other hand it makes it easier then to have multiple ISP and build the tunnels from an extra ip that is not depending on the link networks to the ISP
Thank you for your quick feedback Magnus.
Anyway, I already read the admin guide, but like other admin guides it doesn't never answer to "why" but to "how to".
What i supposed about unnumbered is related to software/hardware limitation in such scenarios. For example with some azure setup for me was mandatory to configure a unnumbered, that i proxied to a loopback interface.
@@checkpointerXL ye, check point normally have 10 ways to build stuff and they don’t really recommend any specific setup.
But as I said, I haven’t used VTI in production so can give a good answer on why / how.
As it’s now supported in VSX in later versions, I guess I need to learn soon enough ;)
Hi Magnus - thanks for the video but I am kind of new to checkpoint and wanted to know if you can recommend or point me in the direction where I can get more training on checkpoint? Any training video or books ?
Hi, maybe you seen the CCSA playlist here on RUclips, that’s a good pick.
If not I would recommend
Checkmate community where they have checkpoint 4 beginners :)
community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/bg-p/check-point-for-beginners-2-0
Hi Magnus ;Have you ever had an incident related to vpn flapping between sites behind sdwan (vmware solution) with dual ISP and other non-sdwan sites with single ISP,
the only solution found do a clear SA and redo the push policy in order to vpn become UP. for information probing ISP is configured correctly on checkpoint u suspect NAT issue ? Thanks
Have had a few issue with strange behavior to cloud “fluffy stuff” where we needed to flip to Ikev2 for IPv4, strange stuff like packet drops etc.
Also regarding NAT-T
@@MagnusHolmberg-NetSec Thanks for feedback , for information we are already in IKEV2
Hi Magnus question as peer IP i just want to confirm do I need to edit my link selection to public ip address instead of the private management to make the VPN S2S works? Currently I have a Public ip address facing the internet configured on my External facing firewall.
Link select for vpn yes, that need to be your external interface if that what you want to start the VPN from.
@@MagnusHolmberg-NetSec Great your video really help me alot!
Show Magnus, very good.
Great "how to" Magnus!
Hi Magnus can you record s video for VWan azure to checkpoint site 2site VPN with BGP. Step by step. Thanks
I will make a video about it, but not with BGP.
The reason for it is that am running the BGP in routers infront of the check point boxes onprem.
For the simple reason i work for an ISP and its just easier to have the BGP there as i never having multiple ISP in my setups.
What does happen if both of the VPN peers use the same IP block for their VPN domains ;)
It will not work and you will need to use NAT and put the nat within the vpn domain instead.
This is also something you need to think about in regards to routing in general, one ip prefix can only be sent one direction so to say.
how to check vpn tunnel uptime?