Configuring route based VPN Checkpoint R80.10

For this post, i am going to discuss on how to configure route based VPN in Checkpoint R80.10 with Juniper. This post will only cover checkpoint part and not Juniper.

To configure route based VPN there are few things to take note of:

• IP address of the virtual tunnel interface to communicate with the peer firewall on the other side
• VPN domain on the console R80.10 must be empty group. The reason, if there is a VPN domain configured, it will be deemed as domain based VPN or some other say it as Policy based VPN.
• Third party firewall to be consider as interoporable device and the vpn domain group to be set as empty group as well
• Routing handling all the traffic communication site to site

Configuration on web portal -> look for network interface -> VPN tunnel

Key in the VPN tunnel ID to distinguish. Under VPN peer, it is important to take note as this name must be same name as what will be configured in the console later on.

The local address will be the tunnel IP (private IP) that is usually in same subnet as the peer firewall. While the remote address will be the peer IP (Put public IP of the peer firewall)

If you do not want to use numbered, you may opt to use unnumbered to eliminate the use of assigning of IP address however numbered interface is better in a sense of NAT in case of overlapping IP address on both sides of the tunnel. This is called borrowing of IP address of that particular interface.

Once the tunnel interface created, move to console and configure the route based VPN -> under security policy -> Access tool -> VPN community -> create New either star or mesh.

key in all the necessary stuff -> Community Name -> the participating gateways which are the Checkpoint and Juniper. Set the encryption and authentication method (must be match on both sites).

Under the Checkpoint gateway object -> key in the domain as empty group.

Configure the interoperable device under network service object and put empty group under the domain.

Finally..configure the routing on Checkpoint gateway via clish or webgui.

Cheers,

ASK

 

 

MDS backup vs Backup

Not many article mentioned the real difference on the two backups even though most of the time the guide always mentioned to perform mds_backup script instead of backup.

After consulting with TAC, the conclusion is this:

Backup will perform back up Os config and database for the entire MDS while mds_backup will only perform mds backup but not the OS.

However one thing that i notice, mds_backup also perform backup of the interfaces and its IP address.

The OS in this case is most of the thing that u can see on the Web portal are related to OS configuration

Cheers,

ASK