the worlds gone mad

we've lost the hope we had

Posted on 27 July 2021   11 min read

Virtual Tunnel Interface (VTI) VPN

vti ipsec vpn between asa and asr

Over the years I have built numerous IPsec VPNs on ASAs using crypto maps and an ACL for the interesting traffic. For a simple solution to join small sites with no need for routing these work great and keep the complexity down to a minimum. For more complex environments or cloud connectivity you are probably going to need to use VTIs, this post goes through the process of building VTI VPNs between an ASR and ASA.


Posted on 13 August 2019   7 min read

Checkpoint Endpoint Security VPNs

remote access VPN on checkpoints


Posted on 13 January 2018   7 min read

Checkpoint Identity Awareness

identity awareness to identify users

The 3 main elements that run identity awareness under the hub are Active Directory Query (ADQ), PDP and PEP. They all intertwine in some way to allow the different blades of the Checkpoint to track and restrict access based on AD user and machine name. I tested these features as part of a POC and personally I would not consider them fit for purpose in a production environment. See the caveats at the end of the post for more details on this.


Posted on 13 January 2018   1 min read

Deleting Checkpoint Logs

cleaning up checkpoint logs

The directories that need to be emptied to delete all the logs on the Checkpoint managers.


Posted on 12 August 2017   3 min read

Checkpoint Portals

functions of all the checkpoint portals

All Checkpoint portals are configured under the Gateway properties.
The IP address of the portal must be that of an IP of an interface on the checkpoint (loopback or physical).
Can either use a different IP for each portal or the same IP for all portals. All portals with the same IP address use the same certificate.


Posted on 29 July 2017   2 min read

Checkpoint Database and Policy

checkpoint policy deployment and rollback

The Checkpoint database holds the network objects whereas the policy is how those objects are used.


Posted on 14 July 2017   8 min read

Checkpoint Gateway and Mangers

how to setup checkpoint environment

Checkpoint Firewalls are not zone based Firewalls so have a different type of policy compared to ASA and Juniper. A typical build consist of a Security Gateways managed by a centralised Management Server using the Checkpoint Smart Dashboard software. Firewall policies are created and managed on the management server and pushed to the security gateway.