---
title: "FortiGate"
slug: "configuring-perimeter-site-to-site-with-fortigate-devices"
updated: 2026-04-21T12:49:47Z
published: 2026-04-21T12:49:47Z
canonical: "support.perimeter81.com/configuring-perimeter-site-to-site-with-fortigate-devices"
stale: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.

# FortiGate

<meta charset="utf-8">

## Introduction

This guide helps you establish a Site-to-Site VPN tunnel between your Check Point SASE network and your FortiGate Devices environment.

**Breakdown of topics**

1. [Pre-requisites](/docs/configuring-perimeter-site-to-site-with-fortigate-devices#prerequisites)
2. [Configuration Steps](/docs/configuring-perimeter-site-to-site-with-fortigate-devices#configuration-steps)
3. [Verifying the Setup](/docs/configuring-perimeter-site-to-site-with-fortigate-devices#verifying-the-setup)
4. [Troubleshooting](/docs/configuring-perimeter-site-to-site-with-fortigate-devices#troubleshooting)
5. [Support Contacts](/docs/configuring-perimeter-site-to-site-with-fortigate-devices#support-contacts)

## Pre-requisites

To successfully follow this guide, ensure that:

1. You have an active Check Point SASE account and network.
2. The Check Point SASE app is installed on your devices.
3. You have access to an active FortiGate Devices account with administrative permissions.

## Configuration Steps

1. Under **Network** in the **Management Platform** on the left side, select the name of the network in which you'd like to set the tunnel.
2. Locate the desired gateway, and select the three-dotted menu (...).![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/1(14).png)
3. Select **Add Tunnel** and then **IPSec Site-2-Site Tunnel**.
4. In the **General Settings**section, specify these:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SpecifiedSubnets.PNG)
  - **Name:** Enter a name for the tunnel.
  - **Shared Secret:** Enter a string or select **Generate**.
  - **Public IP:** Enter the public IP address of the FortiGate device.
  - **Remote ID:** Enter the remote ID of the FortiGate device.
  - **Check Point SASE Gateway Proposal Subnets:** By default, this value is 10.XXX.0.0/16. Do not set this value to any.
  - **Remote Gateway Proposal Subnets:** Select **Specified Subnets** and enter the local LAN subnets.
5. In the **Advanced Settings**section, specify these:  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/KeyExchangeMethod521(1).PNG)
  - **IKE Version**: V2
  - **Key Exchange Method:** ecp521
  - **Key Exchange Method:** ecp521  
Leave the rest of the fields with the default values (as shown in the image).

## Configuring the tunnel in the FortiGate Management Interface

1. Open the FortiGate **Management Interface**.
2. In the left panel, select **VPN**, then **IPsec Tunnels**, and select **Create New**.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/4(5).png)
3. In the **VPN Creation Wizard** window set the **Name** to **Check Point SASE** (or any other name you desire), the **Template Type** to **Custom** tab, and select **Next**.  
![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/VPNConnectionWizard.png)
4. Fill in the following information:  
**Network Section:**
  - **IP Version:** IPv4
  - **Remote Gateway:** Static IP Address
  - **IP Address:** Insert the public IP of the location server
  - **Interface:** select your WAN interface
  - **Mode Config:** unchecked
  - **NAT Traversal:** Disable

Important -For Enhanced Networks (CV4), set NAT Traversal to Enable. The tunnel does not connect when NAT Traversal is disabled.Note -For Standard Networks (CV3), enable NAT Traversal only when the device sits behind NAT.

- **Dead Peer Detection:** On-Demand

Note about NAT TraversalIn rare cases the tunnel stops responding while still displaying itself as up and running on both sides - we found that changing NAT Traversal to Enabled can resolve it.

**Authentication section:**

- **Method:** Pre-shared Key
- **Pre-shared Key:** Insert the Shared Key you chose in Step 1
- **IKE Version:** 2
- **Mode:** Main (ID protection)

**Phase 1 Proposal section:**

- **Encryption:** AES256
- **Authentication:** SHA256
- **Diffie-Hellman Group:** 21
- **Key Lifetime (seconds):** 28800
- **Local ID:** leave blank
- **XAUTH Section:** leave disabled

**Phase 2 Selectors (+Advanced) section:**

- **Name:** Check Point SASE
- **Local Address:** Your Local network Subnet
- **Remote Address:** Check Point SASE network Subnet, Usually: 10.255.0.0/255.255.0.0
- **Enable Replay Detection:** Unchecked
- **Enable Perfect Forward Secrecy (PFS):** Checked
- **Diffie-Hellman Group**:21
- **Encryption:** AES256
- **Authentication:** SHA256
- **Local Port:** Checked
- **Remote Port:** Checked
- **Protocol:** Checked
- **Key Lifetime:** Seconds
- **Seconds:** 3600

## Configuring firewall and static routing

It is necessary to add static routes from the Check Point SASE subnet (10.XXX.0.0/16) to the local *network* and from the local network to the Check Point SASE subnet (10.XXX.0.0/16) to the local network through the VPN tunnel gateway.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/6(4).png)

### Creating a static route

1. Go to **Network** -> **Routing** -> **Static Routes** -> **Create new** -> **Route.![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/7(5).png)**
2. Set **Destination** to **10.XXX.0.0/16** and the **Device**: Check Point SASE (or any other name you chose for the tunnel).
3. Click **OK**.

### Creating a firewall policy

To enable traffic from the Check Point SASE subnet (10.255.0.0/16) to the local network, create a firewall policy.

1. Go to **Policy & Objects** > **IPv4 Policy**.
2. Click **Create New**.
3. Configure the policy with the following settings:
  - **Name:** Check Point SASE
  - **Incoming Interface:** Check Point SASE
  - **Outgoing Interface:** Your local network object
  - **Source:** All
  - **Destination:** All
  - **Schedule:** Always
  - **Service:** All
  - **NAT:** Disabled  
Leave any additional settings at their default values.
4. Click **OK**.

## Verifying the Setup

1. In the FortiGate Management Interface, go to **VPN** > **IPSec Tunnels**. If the tunnel is up, the entry appears in the table. ![IPSec tunnel status in FortiGate](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/8(2).png)
2. After you complete the steps, the tunnel is active.
3. To verify the status, go to the Check Point SASE dashboard. Locate the tunnel and check the status.
4. The status shows **Up** when the connection is successful.
5. Next, connect to the network using the Check Point SASE agent and access a local resource.

## Troubleshooting

If issues occur during or after setup, review all configuration values. Check the IP addresses and other entered details. Contact support if the issue persists.

## Support Contacts

If you need help, contact the Check Point SASE support team. Use the chat on [sase.checkpoint.com](https://www.sase.checkpoint.com/) or email [sase-support@checkpoint.com](mailto:sase-support@checkpoint.com).