Check Point UTM-1 Edge User Manual page 536

Adding and Editing VPN Sites
In this field... Do this...
Perfect Forward Specify whether to enable Perfect Forward Secrecy (PFS), by selecting
Secrecy one of the following:
•
•
Enabling PFS will generate a new Diffie-Hellman key during IKE Phase 2
and renew the key for each key exchange.
PFS increases security but lowers performance. It is recommended to
enable PFS only in situations where extreme security is required.
Diffie-Hellman Select the Diffie-Hellman group to use:
group
•
•
A group with more bits ensures a stronger key but lowers performance.
Renegotiate every Type the interval in seconds between IPSec SA key negotiations. This is
the IKE Phase-2 SA lifetime.
A shorter interval ensures higher security.
The default value is 3600 seconds (one hour).
522
Enabled. PFS is enabled. The Diffie-Hellman group field is
enabled.
Disabled. PFS is disabled. This is the default.
Automatic. The UTM-1 appliance automatically selects a group.
This is the default.
A specific group
Check Point UTM-1 Edge User Guide