5/18/2023 0 Comments Ssg vpn monitor![]() The order that the peer IPs are listed does not matter. *** NOTE: If you have multiple Zscaler locations you can list all of the peers here regardless of community. Where the first IP(111.x.x.x above) is the primary Zscaler peer IP and 222.x.x.x is the secondary Zscaler peer IP Edit the 1 file with the following stanza in order to enforce Universal TunnelsĤ.3.2. Make a backup of the file 1 if it already existsĤ.3. Open an SSH session to your Security Management Server and drop into Expert mode.Ĥ.2. Navigate to Network Objects > network_objects > Select your Interoperable Device > Locate tunnel_keepalive_method and double-click > Select dpd from the dropdown menu and then OK > File/Save All > Close GUIDBEDITĤ. Configure the Interoperable Device objects to support DPD(Dead Peer Detection) if not already set.ģ.2.1. Navigate to Network Objects > network_objects > Select your Interoperable Device > Locate isakmp.phase2_rekeying_time and double-click > Change the value to 28800. Publish your changes, close SmartConsole, and open the GUIDBEDIT application(located in the SmartConsole directory of your SmartConsole installation)ģ.1 Modify Phase 2 rekeying time to 28800 on your new Interoperable Device objectsģ.1.1. In the dropdown, select the Network or Group that contains all relevant internal networks or objects that will routing traffic to Zscaler. Open the properties of your gateway or cluster object and navigate to Network Management > VPN Domain and select User Defined and then click the triple-dot button on the right:Ģ.1. In SmartConsole, create an empty Network Group to serve as a VPN domain placeholder:Ģ. ![]() Follow the instructions below on how to create such an empty group:ġ.2.1. In the Topology tab, below the VPN domain section, select User-defined, and select an empty group object. In the ‘General Properties’, set the Zscaler node public IP as the Main IP of the interoperable device.ġ.2. In MEP, create two Interoperable Devices objects - one for each Zscaler Edge.ġ.1. Define new network objects representing the Zscaler Edge. Note: The steps that refer only to High Availably mode (MEP) are marked in red.ġ. NULL Encryption - according to the latest published configuration doc by Zscaler.NAT-T is activated by default ( both as the initiator and as a responder of IKE negotiations) Nat Traversal - to address cases where the Check Point Gateway is behind a NAT device.Route traffic to the Internet through Zscaler - routes all traffic from the Corporate office to the Internet via VPN with Zscaler to the Internet, using a Star community.High Availability - reroutes traffic from the primary tunnel to the backup tunnel (and vice versa), if the first tunnel goes down, using MEP configuration.Tunnel Monitoring - keeps a valid IKE SA, and monitors whether the tunnel is up or down using DPD ("Tunnel Monitoring" AKA "Permanent Tunnels").In order to meet these requirements, the following features must be configured on the Check Point side If the primary IPSec VPN tunnel, or if an intermediate connection goes down, all traffic is then rerouted through the backup IPSec VPN tunnel to the backup ZIA Public Service Edge. Note: DPD is also used for the Permanent Tunnels feature with third-party vendors.įor more information, refer to R80.30 Site to Site VPN Administration Guide TopologyĪs depicted in the diagram above, Zscaler recommends configuring two separate VPNs with two different ZIA Public Service Edges to support High Availability. This feature is called “VPN Redundancy” mode or “High Availability” mode by other vendors. R80.30 and higher versions support the Dead Peer Detection (DPD) Mechanism in the Multiple Entry Point (MEP) feature.Ī MEP environment has two or more Gateways, which allow protecting and enabling access to the same VPN domain.Īs a result, in scenarios in which the user establishes a VPN tunnel with a third-party vendor, the user can use the MEP DPD Mechanism to monitor the status of a Peer Device or a Link, and to establish a VPN Tunnel with the secondary Peer or backup Link, if the primary goes down. R80.30 with Jumbo Hotfix Accumulator starting from Take 237.R80.40 with Jumbo Hotfix Accumulator starting from Take 119.R81 with Jumbo Hotfix Accumulator starting from Take 34.R81.10 with the latest GA Jumbo Hotfix Accumulator.These instructions refer to a Check Point gateway and Management server running R80.30 or higher, using the Gaia OS with these Jumbo Hotfix Accumulators installed: ![]() This article describes how to configure an IPSec tunnel with two different ZIA Public Service Edges in Redundancy mode.
0 Comments
Leave a Reply. |