---
title: "Cisco Firepower"
slug: "cisco-firepower"
updated: 2026-04-07T09:02:13Z
published: 2026-04-07T09:02:13Z
canonical: "support.perimeter81.com/cisco-firepower"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cisco Firepower

## Introduction

This guide helps you to set up a Site-to-Site VPN tunnel between Check Point SASE network and the Cisco Firepower device.

### **Breakdown of topics**

1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts

## Pre-requisites

1. Check Point SASE Administrator Portal account and a configured network.
2. Make sure you have installed the Check Point SASE Agent on your device.
3. Active and licensed Cisco Firepower device with necessary administrative permissions.

## Configuring IPsec Tunnel

To configure an IPsec Tunnel, do these:

1. Log in to the Check Point SASE Administrator Portal.
2. Click **Networks**.
3. Select the network from which you want to create the tunnel to the Cisco Firepower.
4. Click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740646773942.png)and select **Add Tunnel**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632200650.png)
5. Select **I****PSec Site-2-Site Tunnel**and click **Continue**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632258947.png)
6. Select **Single Tunnel** and click **Continue**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632309808.png)
7. In the **General Settings**section, enter these:
  - **Name**: Enter a name for the tunnel.
  - **Shared Secret**: Enter a string or click **Generate**.
  - **Public IP**: Enter the public IP of the Firepower device.
  - **Remote ID**: Enter the remote ID of the Firepower device (this is same as Public IP unless the device is behind a NAT, then use the IP of the "outside" interface on the Firepower.)
  - **Check Point SASE Gateway Proposal Subnets**: Leave **Any (0.0.0.0/0****)** selected.
  - **Remote Gateway Proposal Subnets**: Leave **Any (0.0.0.0/0)** selected.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/GeneralSet_KeyExchange(3).PNG)
8. In the **Advanced Settings**section, specify these:
  - **IKE Version**: V2
  - **IKE Lifetime**: 8h
  - **Tunnel Lifetime**: 1h
  - **Dead Peer Detection Delay**: 10s
  - **Dead Peer Detection Timeout**: 30s
  - **Phase 1:**
    - **Encryption (Phase 1)**: aes256
    - **Integrity (Phase 1)**: sha256
    - **Key Exchange Method**: modp2048
  - **Phase 2:**
    - **Encryption (Phase 2)**: aes256
    - **Integrity (Phase 2)**: sha256
    - **Key Exchange Method**: modp2048  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Zyxel_V2_2048(2).PNG)
9. On your network, click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740646773942.png) and select **Routes Table.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632667525.png)**
10. Click **Add Route.**  
The **Add Route** window appears.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632840557.png)
11. Verify the field values.
12. Click **Add Route**.
13. Click **Apply Configuration**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740632970714.png)

## Configuring the Tunnel in Cisco Firepower

1. Login to your Cisco Firepower web console.
2. Select your device.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633056783.png)
3. Find your **Site-to-Site VPN** configuration and click **View Configuration**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633093452.png)
4. Click![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633156294.png)to create a Site-to-Site Connection.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633131689.png)
5. Specify these:
  1. In the **Connection Profile Name**field, enter a name for your connection.
  2. In the **Type**section, select******Route Based (VTI).**
  3. Expand **Local VPN Access Interface**, and click **Create new Virtual Tunnel Interface**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633271208.png)The **Create Virtual Tunnel Interface**window appears.
6. Enter a name for your VTI adapter, for example, harmony_sase_vti.
7. Turn on the **Status**toggle button.
8. Enter a Tunnel ID.
9. Set the source to your outside interface.
10. Set the IP and Subnet Mask to **169.254.2.122 / 255.255.255.252**
11. Click **OK**.
12. From the **Create Virtual Tunnel Interface** list, select the newly created VTI object.
13. In the **Remote IP Address** field, enter your Check Point SASE gateway IP address (found in your Check Point SASE Admin Panel).  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633782049.png)
14. Click **Next**.
15. Make sure the **IKE VERSION 2** is enabled.
16. In the **IKE Policy** section, for **Globally applied**, click **Edit**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740634584078.png)
17. Create a new policy with the settings that match the Phase 1 settings on the Check Point SASE side. Specify these:
  - **Priority**
  - **Name**
  - **State**- Enable
  - **Encryption**: AES256
  - **Diffie-Hellman Group**: 14
  - **Integrity Hash**: SHA256
  - **Pseudo Random Function (PRF) Hash**: SHA256
  - **Lifetime**: 28800  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740634792930.png)
18. Click **OK**.
19. Click **Edit by IPSec Proposal.**
20. Click **Create new IPSec Proposal**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740634876221.png)
21. Specify these:
  - **Name**
  - **Encryption**: AES256
  - **Integrity****Hash**: SHA256Note:Select the Encryption and Integrity Hash to match the Check Point SASE side for Phase 2.
22. Click **OK**.
23. In the **Authentication Type** section, select **Pre-shared Manual Key**.
24. In the **Local Pre-shared Key** and **Remote Peer Pre-shared Key**fields, enter the Pre-shared Key that you created on the Check Point SASE portal.
25. In the **Lifetime Duration** field, enter **3600.**
26. In the **Diffie-Hellman Group for Perfect Forward Secrecy**field, enter **14.**  
**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635408260.png)**
27. Click **Next**.
28. Click **Finish**.
29. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636490671.png) to deploy changes to apply the new tunnel.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635487499.png)

## Configuring the Static Route in the Cisco Firepower

1. Select your device.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635586876.png)
2. In the **Routing** section, click **View Configuration**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635603411.png)
3. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740633156294.png) to add a new static route.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635654681.png)The **Add Static Route** window appears.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635696663.png)
4. In the **Name**field, enter a name for your static route.
5. In the **Description**field, enter a description.
6. From the **Interface** list, select the interface you created in [Configuring the Tunnel in the Cisco Firepower](/v1/docs/cisco-firepower#configuring-the-tunnel-in-the-cisco-firepower) step 6.
7. In the **Networks**section, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635880344.png).
8. Click **Create new Network**.  
The **Add Network Object**window appears.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635993159.png)
9. Specify these:
  - **Name**
  - **Description**
  - **Type**- Network
  - **Network**- 10.255.0.0/16*(default)*
10. Click **OK**.
11. In the **Networks**section, click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740635880344.png).
12. Select the object you just created.
13. In the **Gateway**section, click **Create new Network Object**.  
The **Add Network Object**window appears.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636204066.png)
14. Specify these:
  - **Name.**For example, *harmony_sase_vti_gateway*
  - **Description**
  - **Type**- Host
  - **Network**- 169.254.2.121 (***this is the corresponding side of your VTI adapter***)
15. Click **OK**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636384509.png)The new route is added.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636442444.png)
16. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636490671.png) to deploy changes to apply the new route.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636467655.png)

## Configuring Firepower Policies Allowing Traffic Flow

To configure Cisco Firepower policies to allow traffic to flow:

1. Go to **Policies**and click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636699142.png) to add a new access rule.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636737000.png)
2. Configure either 1 bidirectional rule or 2 unidirectional rules.  
For example: Creating a single bidirectional rule.
  1. Enter an order number. Make sure this rule is not after a block rule that affects this traffic.
  2. Enter a title. For example, harmony_sase_allow.
  3. Set your Source zones and Networks.
  4. Add an entry for inside_zone and outside_zone.
  5. Add a network entry for your harmony_sase_network object.
  6. Repeat the same for the Destination.
3. Click **OK**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636994234.png)  
Once you add the rule, the table should display:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740637037780.png)
4. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636490671.png) to deploy changes to apply the new route.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1740636467655.png)