Check Point VPN-1/FireWall-1

Configuring an Extranet

AERAsec Network Services and Security GmbH


Platform:  any platform for Check Point VPN-1 NG below R55
Product: Check Point Next Generation FP2 up to NG AI R54
Please be aware that NG as well as NG AI isn't supported any more by Check Point.
Please upgrade to a supported version like NGX R65 or R70!
Problem: Some problems seem to be associated with the configuration of an Extranet. But, regarding the points mentioned below helps to configure an Extranet without major problems.

The Extranet Feature has been supported up to version NG AI R54 only


First of all, obtain the necessary license. You can find out, if your license supports the Extranet-Feature: At the prompt of the Management Server, type
  cplic print
The feature must EMI show up.

Using Check Point NG on both sides of the Extranet is essential.
Configuring an Extranet needs some steps and NG AI R54 as highest version. But, one after the other:

- Define your Firewall to be used as an Extranet-Gateway by selecting 
Manage > Network Objects > Check Point > New > Gateway from the menu.

  • Give the new object an unique name, a color and a comment.
  • Define the Topology by "Get Topology"
  • Edit every NIC, go to the Tab Topology and define the IP-Addresses behind this Interface
  • Configure Anti-Spoofing (at least at the External Interface, necessary for Extranet!)
  • Don't forget to define your VPN Domain. The objects you will export later, have to be inside this VPN-Domain.
  • Go to VPN and configure IKE, at least "IKE Defaults", so an IKE-Certificate is beeing generated for this Firewall. Be sure, your Firewall is supporting "Public Key Signatures" for IKE.
  • At Extranet select "Extranet Enabled Gateway". If this is greyed out, your license doesn't support the Extranet Feature. 
    If this point doesn't show up, you are using NG AI R55.
  • For the rest of the options, just select the things you need.

- If you have a distributed installation, go to the object describing your Management-Server and select the VPN tab. If there is no certificate for IKE, you will have to create one. You can do this by clicking "Add". Then, give it a nickname, select a CA (e.g. internal_CA) and generate it.

- Start a new rulebase in Traditional Mode (!). Extranet won't work with "Simplified Setup" for VPN. You can easily find out, which mode is enabled: If it's the simplied mode (not working with Extranet), the column "IF VIA" shows up in the rulebase.

- Don't define any object from your partner's network, not even the Firewall (!).

- Start to define your part of the Extranet by going to 
Manage > VPN Communities > Extranet > MyExtranet. You will have to edit this point.

- If you want, you can change the name. Give it a color and a comment.

- Go to "Exported Objects" and select the objects (Servers, Networks or IP-Ranges) you want to export, so your partner can import them afterwards.

 - Install the rulebase, so your partner might import these objects later. The same steps your partner has to do. If done so, everything is prepared for the definition of the partner's properties.

- Create a rulebase which accepts the service "FW1_Exnet_PK" (18262/tcp) and "FW1_Exnet_resolve" (18263/tcp) from and to your Management-Module and Firewall.

- Go to General of your Extranet-object. The button "New Partner" will allow you to define your partner for this Extranet. Give it a name and a comment.

- Then, you will have to use "Import Partner Identity" to get the Extranet-fingerprint from your partner. Remember, this is your partner's Management-Module.

- If the connection with service "FW1_Exnet_PK" is ok, you will get the fingerprint from your partner. Please be sure to get the right one. You will find the fingerprint of your own Management-Module in the Policy Editor under Policy > Global Properties > Extranet Management Interface. So please compare them out-of-band.

- After this, your partner is defined completely and you can start to import his objects by going to "Imported Objects". Be sure, the service "FW1_Exnet_resolve" is accepted on both sides.

- Click "Import Partners Objects", you will find them in a new window. Approving this, the import is complete

- Then, the IKE-Properties for the Extranet need to be defined. Be sure, your partner uses the same parameters. After having done this, your Extranet is completely defined.

- What's missing? Yes, the rulebase, of course. Select "Add Extranet Groups..." for Source and Destination, the service you want and "Encrypt". The last point has to be configured correctly at both sides of the VPN.

- After having installed the rulebase, you are able to test the Extranet-VPN. The log should look like the example given.


No warranty at all, your Feedback is welcome!
© 2003-2014 AERAsec Network Services and Security GmbH, last change 2009-04-16
back to