Yes, i mean alot has been possible to do with special tweaks but more stuff are alot easier now within GUI so its on the right path :) I will make more vpn videos including some labs where i can show stuff like the monitoring and vpn debug and such.

Hehe, I did leave my suggestion for topic to late so I will not be presenting anything at CPX. I will attend as normal user :) Hopefully it will be in person next time, if they ask I will try to have some presentation :)

your welcome! :)

Hi, maybe you seen the CCSA playlist here on KZbin, that’s a good pick. If not I would recommend Checkmate community where they have checkpoint 4 beginners :)

community.checkpoint.com/t5/Check-Point-for-Beginners-2-0/bg-p/check-point-for-beginners-2-0

Thanks!

Yes thats correct, sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm OBS: VTI VSX Support was added in R81 Maestro first have support for VTI in R81.10

@@MagnusHolmberg-NetSec Hello, Magnus. Do you plan to develop content for HTTPS INSPECTION? Or do you have any reference SK for this topic, for R80.xx?

It will not work and you will need to use NAT and put the nat within the vpn domain instead. This is also something you need to think about in regards to routing in general, one ip prefix can only be sent one direction so to say.

Check this one out :) sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/Route-Based-VPN.htm Am not sure of the diff as VTI has not been supported for VSX before so never used it in production. (Wanted to have it for a long time)

A pure guess (I may be totally wrong) Is that unnumbered VTI saves you IP addresses as it uses the excising interfaces. And the number one requires additional IP. But on the other hand it makes it easier then to have multiple ISP and build the tunnels from an extra ip that is not depending on the link networks to the ISP

Thank you for your quick feedback Magnus. Anyway, I already read the admin guide, but like other admin guides it doesn't never answer to "why" but to "how to". What i supposed about unnumbered is related to software/hardware limitation in such scenarios. For example with some azure setup for me was mandatory to configure a unnumbered, that i proxied to a loopback interface.

@@checkpointerXL ye, check point normally have 10 ways to build stuff and they don’t really recommend any specific setup. But as I said, I haven’t used VTI in production so can give a good answer on why / how. As it’s now supported in VSX in later versions, I guess I need to learn soon enough ;)

Hi, I have not made and configuration or tshoot video for vpn yet :) So the VPN stuff will be 3-4 videos more

Have had a few issue with strange behavior to cloud “fluffy stuff” where we needed to flip to Ikev2 for IPv4, strange stuff like packet drops etc. Also regarding NAT-T

@@MagnusHolmberg-NetSec Thanks for feedback , for information we are already in IKEV2

I will make a video about it, but not with BGP. The reason for it is that am running the BGP in routers infront of the check point boxes onprem. For the simple reason i work for an ISP and its just easier to have the BGP there as i never having multiple ISP in my setups.

Link select for vpn yes, that need to be your external interface if that what you want to start the VPN from.

@@MagnusHolmberg-NetSec Great your video really help me alot!