Configuring the Site to Site VPN Blade

In the VPN > Site to Site Blade Control page you can activate the appliance's ability to create VPN tunnels with remote sites. Site to Site VPNClosed An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. can connect two networks separated by the Internet through a secure encrypted VPN tunnel. This allows for seamless secure interaction between the two networks within the same organization even though they are physically distant from each other.

On this page you can activate the blade to allow site to site connectivity. You can view how many sites are already defined and configure basic access policy from the remote sites into the specific network accessible by this gateway.

The remote site can be accessible through another Check Point appliance (recommended) or a 3rd party VPN solution.

  • ZScaler

  • strongSwan (Authentication based on X.509 certificates)

Once defined, access to the remote site is determined by the incoming/internal/VPN traffic Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. as seen in the Access Policy > FirewallPolicy page. This is due to the fact that the remote site's encryption domain is considered part of the organization even though traffic to it is technically outgoing to the Internet (since it is now VPN traffic). 

To enable or disable the VPN Site to Site blade:

  1. Select On or Off.

  2. Click Apply.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.

A warning icon is shown if the blade is active but no VPN sites are defined. Click VPN Sites to add a VPN site or see how many VPN sites are defined. The full list of the sites is located in VPN > Site to Site VPN Sites.

To configure the default access policy from remote VPN sites:

  1. Select or clear the Allow traffic from remote sites (by default) checkbox. It is not recommended to clear this checkbox, as the remote site is usually part of your organization.

  2. Select or clear the Log remote sites traffic (by default) checkbox.

  3. Click Apply.

Local Encryption Domain

The local encryption domain defines the internal networks accessible by encrypted traffic from remote sites and networks, that traffic from them to remote sites is encrypted. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain instead. See the VPN > Site to Site Advanced page for instructions.