Appendix

Configuring specific settings for each VPN Community

By default, many global VPN settings you configure in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. (in Global properties) apply to all managed Security Gateways.

You can override these global settings for a specific VPN Community A named collection of VPN domains, each protected by a VPN gateway.:

life_sign_interval sets the time interval, in seconds, for sending life sign packets.
Maximum number of concurrent Internet Key Exchange (IKE) negotiations that occur at the same time.

Procedure

Connect to the command line on the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..
Log in to the Expert mode.

On a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS., go to the context of the Multi-Domain Server itself:

mdsenv

Back up the current configuration file:

On a Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server.:

cp -v $FWDIR/conf/vpn_conf.xml{,_BKP}

On a Multi-Domain Server:

cp -v $MDS_FWDIR/conf/vpn_conf.xml{,_BKP}

Edit the current configuration file.

On a Security Management Server:

vi $FWDIR/conf/vpn_conf.xml

On a Multi-Domain Server:

vi $MDS_FWDIR/conf/vpn_conf.xml

Configure these settings:
- The VPN community name
- The parameter name
- The parameter value (if you do not specify this value explicitly, the default value is used).
Save the changes in the file and exit the editor.
In SmartConsole, install the Access Controlpolicy on the applicable Security Gateways that participate in the VPN communities you configured in this file.

Parameters

Parameter	Values	Description
`life_sign_timeout`	Range: 5-3600 sec Default: 40 sec	Controls the Dead Peer Detection (DPD) timeout in a VPN community.
`life_sign_transmitter_interval`	Range: 5-60 sec Default: 10 sec	Controls the Dead Peer Detection (DPD) transmission interval in a VPN community.
`max_negotiations`	Range: 1-1000 Default: 1000	Controls the number of IKE negotiations in a VPN community. This helps VPN Gateways to cope with a situation of boot-storm over slow WAN links. After a new IKE / IPsec (IKEv1 or IKEv2) negotiation starts with a VPN peer, the VPN Gateway allows or denies it, based on the configured threshold. Note - IKE informational packets (for example, DPD) are not counted as negotiation.

Parameter

Values

Description

life_sign_timeout

Range: 5-3600 sec

Default: 40 sec

Controls the Dead Peer Detection (DPD) timeout in a VPN community.

life_sign_transmitter_interval

Range: 5-60 sec

Default: 10 sec

Controls the Dead Peer Detection (DPD) transmission interval in a VPN community.

max_negotiations

Range: 1-1000

Default: 1000

Controls the number of IKE negotiations in a VPN community.

This helps VPN Gateways to cope with a situation of boot-storm over slow WAN links.

After a new IKE / IPsec (IKEv1 or IKEv2) negotiation starts with a VPN peer, the VPN Gateway allows or denies it, based on the configured threshold.

Note - IKE informational packets (for example, DPD) are not counted as negotiation.

Example 1 - Dead Peer Detection (DPD) parameter

Copy

<?xml version="1.0"?>
  <vpn_conf>
    <community name="VPNcomm1" life_sign_timeout="17" life_sign_transmitter_interval="8"></community>
    <community name="VPNcomm2" life_sign_transmitter_interval="10"></community>
  </vpn_conf>

Example 2- Maximum IKE negotiations

Copy

<?xml version="1.0"?>
  <vpn_conf>
    <community name="VPNcomm1" max_negotiations="10"></community>
    <community name="VPNcomm2" max_negotiations="20"></community>
  </vpn_conf>