Site to Site CheckPoint FortiGate

Learning outcome

  • Setting up interfaces

  • Setting up static route

  • Setting up IKE Gateway

  • Setting up encryption settings

  • Setting up VPN Tunnel

  • Setting up firewall policies

Scenario: Site-to-Site VPN between Checkpoint 1530 firewall and FortiGate VM in GNS3

Giving the licensing to our Fortigate device

  • Now we are going drop a NAT to our configuration field and when dragging it to your field make sure you choose a server as GNS3 Vm (GNS3 VM) and press ok

  • Now we are going to connect an FortiGate interface port to our the NAT using port 1 make sure you use PORT 1

  • Before you start your FortiGate device lets give more RAM to our device so it can run smoothly. Right click on the FortiGate > Configure > change the RAM form 1024MB to 4096MB > Apply > OK

  • Now you can right click on the device and press start

  • Now that you connect your NAT to FortiGate device you should be getting a Licensing and it should look like this. (Take a screenshot)

  • If you did not get any IP address you can go to that port which is port 1 and give a DHCP address.

Username: Admin

Password: Abc@1234

  • Config system interface > edit port1 > set mode dhcp > end

  • To see if you have an IP address DHCP go > show system interface ?

  • Now by this time you should be getting an licensing

Let's set up our topology for site to site

  • Disconnect your FortiGate device from the NAT and bring a webterm to your configuration field, and one cloud, we are going to be using that cloud to connect to our check point.

  • When bring cloud to your device make sure you go with ST-16 if your doing in Hardware and press OK

  • Now let's set up a static IP address for our webterm so right click on your webterm > configuration > click on edit on Network Configuration > and remove the #, follow the image for better understanding to give a static ip address.

Save > apply > ok

  • Now let's connect eth0 to our port2 of our FortiGate device. And right click on your webterm > start

  • And now let's connect port 1 from FortiGate to our eth2 going to cloud. And start your FortiGate

Putting IP Address in our FortiGate device

  • Go show the system interface ? > to see your DHCP address the port that is connected to the cloud.

  • Open your browser in your webterm or your host computer and go > http://142.232.197.149 in my case (Take a screenshot)

Username: Admin

Password: Abc@1234

Let's enter our Check point device

  • Once you connect your check point devices and everything is right go on your cmd on your host machine and type in the command ipconfig.

  • You should be able to see your check point IP address and you should get an IP address, And then go on your browser and type the Default gateway browser for example http://192.168.10.1:4434

  • Now install your checkpoint and set your IP address and your setting and then press login

  • Now to see our DHCP IP address go on Device > Internet:

  • Make sure you remember this IP address

Now let's give IP address to our FortiGate

  • Click on Network > Interface > port 1 > Manual > set the address as your DHCP address in my case it will be 142.232.197.149/24 > mark ping > ok

  • Click on Network > interface > port 2 > Manual > put the address of your customer site for Fortigate in my case 192.168.50.1/24 > check ping > ok

Let's set up our IPSec tunnel

  • Click on VPN > IPsec tunnel > Create New > IPsec tunnel > click on custom > Name it > Click next > Network > IP address and give it check point IP address DHCP

  • In the Authentication section put your password MAKE SURE THAT PASSWORD IS THE SAME WITH CHECK POINT

  • And now we will configure Phase 1 Proposal, MAKE SURE YOU CHOOSE THE SAME FOR YOUR CHECK POINT AND MATCH THEM FortiGate address going to your check point site.

  • Click on New Phase2 > advanced > keep the enable Replay Detection > check Enable perfect Forward secrecy (PFS)

  • And for phase 2 proposal keep it like this MAKE SURE IT IS THE SAME AS YOUR CHECK POINT

  1. Now let's set up static route in our FortiGate device

  • Network > Static route > Create New > Destination will be the check point IP address site and the interface will be your site to site and press ok.

Create our FortiGate Policy

  • Click on Policy & Objects > Firewall Policy > Create New > we need to create 2 policies, one outgoing and one incoming.

  • In our first policy the incoming will be port 2 the port connects to our customer site and the outgoing will be our site to site. And on destination you can go all, all, all but it is not a good practice YOU HAVE TO CHANGE IT LATER BASE ON YOUR CONFIGURATION.

  • For our second policy we do the opposite checkpoint to our FortiGate client, you can go all, all, all but it is not a good practice YOU HAVE TO CHANGE IT LATER BASED ON YOUR CONFIGURATION > and press ok.

Configure our Check point

  • Login to your check point and click on VPN > VPN sites > New > IP address this IP is going to be your DHCP FortiGate address > Pre-shared secret put a password MAKE SURE IT IS THE SAME PASSWORD AS YOUR FORTIGATE DEVICE > Object Name add the Client for FortiGate > Apply

  • NOTE MAKE SURE THE ENCRYPTION IS THE SAME AS YOUR FORTIGATE AND CHECKPOINT PHASE 1 AND PHASE 2 ENCRYPTION MATCH

  • AND MAKE SURE YOU CLICK “Enable perfect forward secrecy (better security, affects performance) BOTH ON CHECKPOINT AND FORTIGATE

Let's set up an Access Policy for our Checkpoint

  • Access Policy > Incoming click New > Any > Destination will be your DHCP of the FortiGate device > service ICMP > Action Accept > ok

Testing

  • Going back to your FortiGate device click on IPsec tunnels and click on bring up it should be green and up meaning our tunnel work.

  • Now I am going to ping our checkpoint IP address to see if our VPN is working and if I can reach the Checkpoint.

Team:

  • Mohammad Jowkari

  • Harkamal Dhami

  • Ajay Rana

  • Trishanjeet Mutti

PreviousSite to Site CheckPoint PaloAltoNextHigh Availability

Last updated