Appendix

Configuring specific settings for each VPN Community

By default, many global VPN settings you configure in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (in Global properties) apply to all managed Security Gateways.

You can override these global settings for a specific VPN Community A named collection of VPN domains, each protected by a VPN gateway.:

• Time interval, in seconds, for sending life sign packets.

• Maximum number of concurrent Internet Key Exchange (IKE) negotiations that occur at the same time.

Procedure

1. Back up the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. / applicable Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

   Refer to:

   • sk108902 - Best Practices - Backup on Gaia OS.

   • sk91400 - System Backup and Restore feature in Gaia.

   • sk98153 - How to take a snapshot of Endpoint Security Management Server database.

2. Close all SmartConsole windows.

   Note - To make sure there are no active sessions, run the "cpstat mg" command in the Expert mode on the Security Management Server / in the context of each Domain Management Server.

3. Connect with the Database Tool (GuiDBEdit Tool)to the Security Management Server / applicable Domain Management Server.

4. In the upper left pane, click Tables > Managed Objects > Communities.

5. In the upper right pane, select the applicable VPN Community.
   

6. Press CTRL+F (or click Search > Find).

7. Enter the name of the applicable attribute

   See the summary table below.

8. Click Find Next.

9. In the lower pane, right click the attribute name.

10. Select Edit.

11. Configure the applicable value.

12. Click OK.

13. Save the changes. Click File > Save All.

14. Close the Database Tool (GuiDBEdit Tool).

15. Connect with SmartConsole to the Security Management Server or the applicable Domain Management Server.

16. Install the Access Control policy on all Security Gateways and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. objects that participate in this VPN Community.

Attributes

VPN Feature	Attribute	Valid Values	Description
Dead Peer Detection (DPD)	life_sign_timeout	Range: 5-3600 sec Default: 40 sec	Controls the DPD timeout in a VPN community
	life_sign_transmitter_interval	Range: 5-600 sec Default: 10 sec	Controls the DPD transmission interval in a VPN community
	override_global_settings_for_life_sign_intervals	Range: true, false Default: false	Override the global settings for life sign intervals
IKE Negotiations	max_negotiations	Range: 1-10000 Default: 10000	Controls the number of IKE negotiations in a VPN community This helps VPN Gateways to cope with a situation of boot-storm over slow WAN links. After a new IKE/IPsec (IKEv1 or IKEv2) negotiation starts with a VPN peer, the VPN Gateway allows or denies it based on the configured threshold. Note- IKE informational packets (for example, DPD) are not counted as negotiation.
	override_max_concurrent_ike_negotiation	Range: true, false Default: false	Overrides the Maximum number of concurrent IKE negotiations per community