Connecting Spokes

Connect VNET

  1. Navigate to your Virtual WAN > on the left tree and select Virtual network connections.

  2. Click Add connection.

  3. Fill in all the necessary fields and click Create.

Configure Client-to-Site VPN

To configure Client-to-site VPN for CloudGuard Network Security in vWAN Hub, follow these steps:

  1. Configure a new user in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

    1. In SmartConsole top right click New > More > User/Identity > User.

    2. Create a new user with Check Point Password.

    3. Add the user to the all_users group.

  2. Configure each of the NVAClosed Network Virtual Appliance - A resource deployed in Azure's Virtual Hub that includes Security Gateways and other networking infrastructure. Security Gateways:

    1. In SmartConsole > Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. > General Properties, Check the IPSec VPN blade to enable it.

    2. Configure VPN Domain in the Security Gateway properties > Network Management > VPN Domain.

      Add here the object that is part of the VPN domain.

    3. Configure Statically NATed IP in the Security Gateway properties > IPSec VPNLink Selection.

      Enter the NVA public IP address in the Statically NATed IP.

    4. Allocate office mode IP range in the Security Gateway properties > VPN Clients > Office Mode. Client's IP addresses are assigned from this range.

  3. Create a new Network Group with the Office Mode IP address Ranges, for example:

  4. Configure the Remote Access VPN Community: In SmartConsole > Object Categories on the right > VPN Communities > RemoteAccess, add the Participating Gateways, for example:

  5. Configure Security and NAT Policy:

    1. Configure the Access Control Rules:

    2. Configure NAT rules.

      Note - If the LocalGatewayInternal and LocalGatewayExternal host objects do not exist, refer to Creating Dynamic Objects 'LocalGatewayExternal' and 'LocalGatewayInternal' to create them.

  6. Follow the procedure in sk103440 - How to force Remote Access VPN Client to resolve DNS name of VPN Site at every connection.

  7. Configure Traffic Manager.

    1. From the Azure Portal, search for Traffic Manager Profiles:

    2. Create a new Traffic Manager Profile.

    3. Configure the Routing method to Geographic or Performance, set the health probes port to TCP 443.

    4. Add each CloudGuard Network Security Gateway as an external endpoint.

      1. In the Name field, add the NVA machine name.

      2. In the Fully-Qualified Domain Name (FQDN) or IP, add the public IP of the related NVA Instance (Security Gateway).

      3. In the Location, Mark the NVA region.

      4. Enable health check.

    5. The Monitor status changes from Checking Endpoint to Online.

  8. Configure Remote Access VPN Client.

    1. Get the DNS Name from the Traffic Manager Profile overview.

    2. Open the Check Point Endpoint Security and create a new site, use the DNS name as address (remove http:// from the address.)

    3. On the Site Wizard, select vpn (default) as the preferred log in option.

    4. Select Username and Password as the Authentication Method and click Finish to create the site.

For more information on the Remote Access solution, refer to the Remote Access VPN R81.20 Administration Guide.

Connect Branch

Configure Site-to-Site VPN from branch office to Azure VPN Gateway

On Azure side:

  1. Navigate to your hub and select VPN (Site to site) > Create VPN gateway.

  2. Select the wanted scale units and click Create.

  3. After creating the VPN Gateway, click VPN (Site to site) > create new VPN site.

  4. Enter the VPN site details:

    1. Select the applicable region.

    2. Give the site a name.

    3. Type checkpoint for the device vendor.

    4. Keep the address space empty.

    For example:

  5. Enter the links details:

    1. Link name.

    2. Link speed.

    3. Link provider name - checkpoint.

    4. Link IP - The public IP of the connecting Gateway.

    5. Link BGP address - The BGP address you give to the connecting Gateway.

    6. Link ASNClosed Autonomous System Number – Special number that used for the BGP - The ASN that the connecting Gateway uses.

  6. Click Review + create to complete the setup.

  7. Connect the VPN site:

    1. Navigate to VPN (Site to site) window.

    2. Click on the X (if present) to remove the Connected to this hub filter.

    3. Select the VPN site you created in the previous step.

    4. Click on the Connect VPN sites.

    5. In the open menu, enter a password for the VPN on the management site.

    6. Click Connect.

  8. Open SmartConsole and configure the Security Gateway that connects to the VPN based on the steps in Site to Site VPN R81 Administration Guide > Getting Started with Site-to-Site VPN.

On Security Management R81.10 and lower

Follow the instructions in sk176249 - How to configure IPsec VPN tunnel between Check Point Security Gateway and Azure vWAN.

On Security Management R81.20 and higher

  1. Connect to the Security Management with SmartConsole.

  2. Add new Data CenterClosed Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data. object:

    1. On the objects pane click New.

    2. Select: New > Cloud > Data Center > Microsoft Azure.

  3. Fill in the related details.

    Note - A Service Principal or Azure AD credentials are needed.

  4. Select the new object, right-click and select import.

    Search for the new VPN Gateway and click the plus sign.

  5. Publish the changes.

  6. Add the two VPN Gateways to the VPN community:

    Click Ok.

  7. Install policy.

BGP configuration for on-premises server

After establishing the VPN tunnels, we recommend to configure a route map to import and export the BGP routes.

Configuration example in clish:

set routemap im_azure id 10 on

set routemap ex_azure id 10 on

set bgp external remote-as 65515 import-routemap im_azure preference 10 on

set bgp external remote-as 65515 export-routemap ex_azure preference 10 on

You can customize the route maps to control what routes are advertised or received.

For example, to advertise direct routes, run this command in clish:

set routemap ex_azure id 10 match protocol direct

Important - When working with BGP, we recommend not to hide the internal network behind the on-premises Gateway (Source NAT), as it can cause traffic issues.

Note - You can find here a reference to the BGP configurations in the NVA.

Disconnect

Disconnect VNET

  1. Navigate to your Virtual WAN > on the left tree and select Virtual network connections.

  2. Click on the three dots on the Vnet you require to remove > click Delete virtual network connection.

  3. Type yes to make sure and click delete.

Disconnect Branch

Use these steps to disconnect a branch:

  1. Navigate to your vWAN > select Hubs > select the related Hub > select VPN (Site to Site).

  2. Select the branch to disconnect.

  3. Click on Disconnect VPN sites.

Deleting the NVA

To remove an NVA, navigate to the resource group the managed app was deployed, select the NVA you wish to remove, and click delete.

Deleting the Virtual Hub

Navigate to the Virtual WAN and select the hub from the overview screen.

Note - Before you remove the virtual hub, make sure no routes in the route tables are related to the virtual hub. If there are routes in one of the route tables, remove them.

To remove the virtual hub, simply navigate to the virtual hub resource, and click on Delete.

Deleting Virtual WAN

To remove all the Virtual WAN, make sure that no NVAs and routes stays in it and all the virtual hubs are removed.

To remove the Virtual WAN, navigate to the resource and click Delete.