This will be used to define the local VPN domain In most cases this may already be created.Creae a network object representing the internal subnet.When defining the VPN domain it will not accept an address range but will accept a group.Create a simple group and add the address range defining the internet IP addresses.This will be used when defining the destination VPN domain. Create an address range to include all IP addresses.Release R77.10 and newer also contain fixes for DPD. The hot fix from Check Point is called R75.40VS LTE. Default timeout values of 3600 seconds will be sufficient. If this fix is used it is not necessary and strongly recommended that Phase 2 timeout is not set to 120 seconds. UPDATE - Check Point have released a hot fix that supports DPD. Although 120 seconds is aggresive it will quickly recover if a pod it was connected to was taken down for any reason. The reason for this is that the Blue Coat Cloud Security Service supports Dead Peer Detection (DPD) and Check Point firewalls use a different protocol/mechanism to detect a peer is down. If a data pod is taken down for maintenance that a Check Point firewall is connected to it will not detect the pod is unavailable and will believe the tunnel is still established until it renegotiates Phase 2. The Phase 2 timeout should be set to 120 seconds. This information is not shown in the pictures below. This configuration example was taken from a Check Point UTM-1 running SecurePlatform R75.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |