Configuration

Workflow

Step 1: Creating Azure Service Principal

Step 2: Preparing the Check Point Integration Tool (do this step only one time)

Step 3: Initializing the Azure Virtual WAN feature (do this step only one time)

Step 4: Creating a New VPN Connection (do this step only one time)

Step 5: Configuring the Settings in SmartConsole (do this step for each VPN connection)

Step 6: Verifying the VPN Configuration and Tunnels (this step is optional)

Step 7: Deleting the Existing VPN Connection (when applicable - do this step for each VPN connection)

Step 1: Creating Azure Service Principal

Follow the Microsoft Azure documentation.

The Azure Active Directory application must have at least Contributor role to the Virtual WAN Resource Group or Subscription.

Step 2: Preparing the Check Point Integration Tool

Step	Description
1	Contact Check Point local office, or Check Point Support to get the Check Point Integration Tool for Microsoft Azure Virtual WAN (add-on package).
2	Transfer the add-on package to the Management Server. Make sure to use the binary mode.
3	Connect to the command line on the Management Server.
4	Log in to the Expert mode.
5	Go to the location of the add-on package: `[Expert@MGMT:0]# cd /<`path_to_add_on`>/`
6	Extract the add-on to the root partition (do not change this syntax): `[Expert@MGMT:0]# tar zxfC vwan-addon.tgz /`
7	Verify: `[Expert@MGMT:0]# azure_vwan -v`
8	If you use autoprovision service on this Management Server: Download and install the latest auto provisioning version again. See the Virtual Machine Scale Sets (VMSS) for Microsoft Azure R80.10 and above Administration Guide - Chapter Additional Information. Verify: `[Expert@MGMT:0]# autoprov-cfg -v`

Step 3: Initializing the Azure Virtual WAN feature

Step	Description
1	Connect to the command line to the Management Server.
2	Log in to the Expert mode.
3	Initialize the Azure Virtual WAN feature: `[Expert@MGMT:0]# azure_vwan init -sb "<`Azure-Subscription`>" -at "<`Active-Directory-Tenant-ID`>" -aci "<`Client-ID`>" -acs "<`Client-Secret`>"`
4	Verify: `[Expert@MGMT:0]# azure_vwan show-config`

Parameters:

Parameter	Description	Example
`-sb "`<Azure-Subscription>`"`	The Azure subscription ID that deploys the CloudGuard Security Gateways.	`"`98e34f37-ece4-4cdc-97dc-44a074f84aff`"`
`-at "`<Active-Directory-Tenant-ID>`"`	The Azure directory tenant ID.	`"`7113cebb-911c-4122-aa5c-34db449380f7`"`
`-aci "`<Client-ID>`"`	The application ID.	`"`82fb1445-f40e-46dc-9cd3-c065e14f132b`"`
`-acs "`<Client-Secret>`"`	The application key. Note - This value is not readable in the configuration.

Important�-The exact values that you select, must be typed exactly when you initialize the Azure Virtual WAN feature. Make sure to write them down and enter them correctly. Otherwise, the components cannot communicate with each other.

Step 4: Creating a New VPN Connection

Step	Description
1	Make sure the management database does not prevent the new configuration: Connect with the SmartConsole to the Management Server. From the left navigation panel, click Manage & Settings > Sessions > View Sessions. You must publish or discard all sessions, for which the Changes column shows a number greater than zero. Right-click on such session and select Publish or Discard. Close the SmartConsole.
2	Connect to the command line to the Management Server.
3	Log in to the Expert mode.
4	Add a new VPN Connection: `[Expert@MGMT:0]# azure_vwan add-connection -rg "<`Resource-Group`>" -wn "<`vWAN-Name`>" -ln "<`HUB-Location-Name`>" -hc "<`HUB-CIDR`>" -sl "<`VPN-Site-Location`>" -gwn "<`Gateway-Object-Name`>" -gwa "<`Gateway-ASN`>" -gwb "<`Gateway-BGP-Address`>"` Notes: For more information, run the `azure_vwan add-connection -h` command. For a new Virtual Hub, the process might take 45 minutes or more.

Parameters:

Parameter	Description	Example

`-rg "<`Resource-Group`>"`	Name of the Microsoft Azure Resource Group	"virtual_wan_RG"
`-wn "<`vWAN-Name`>"`	Name of the Virtual WAN	"my-vwan"
`-ln "<`HUB-Location-Name`>"`	Location of the Virtual Hub and Virtual WAN (if need to create). This is the Azure Region, as provided by Microsoft Azure.	"eastus"
`-hc "<`HUB-CIDR`>"`	Address space of the Virtual Hub. Important�-You can omit this parameter only if this Virtual Hub already exists.	"10.0.33.0/24"
`-sl "<`VPN-Site-Location`>"`	Name of the Virtual Site location. Important�-If you do not specify it explicitly, and the VPN Site does not exists, the tool uses the location of the Virtual Hub.	"eastus"
`-gwn "<`Gateway-Object-Name`>"`	The name of the on-premises Security Gateway object as defined in SmartConsole	"branch_gw1"
`-gwa "<`Gateway-ASN`>"`	Unique Autonomous System Number for VPN purposes on the Check Point Security Gateway. Valid values: from 64512 to 65534. Important�-You can omit this parameter only if this VPN Site already exists.	"65105"
`-gwb "<`Gateway-BGP-Address`>"`	BGP peering IP address on the Check Point Security Gateway. Important�-You can omit this parameter only if this VPN Site already exists.	"169.168.254.205"

Example output of the 'azure_vwan add-connection' command:

[Expert@MyMgmt:0]# azure_vwan add-connection -rg "virtual_wan_RG" -wn "my-vwan" -ln "eastus" -gwn "branch_gw1" -hc "10.0.33.0/24" -gwa "65105" -gwb "169.168.254.205"

Microsoft Azure Virtual WAN Check Point integration tool [Version 1.01 (EA)]

Check Point Software Technologies LTD.

Creating Azure Resource Group virtual_wan_RG

Azure Resource Group created

Creating Azure Virtual WAN

Azure Virtual WAN created

Creating Azure Virtual Hub

Azure Virtual Hub created

Creating Azure VPN Site

Azure VPN Site created

Creating Azure Hub to Site association (vpnConnection)

Azure Hub to Site association created

Updating Check Point Security Management Server objects & Gateway configurations

Connection created successfully!

IMPORTANT: for changes to take effect you must install policy on gateway: branch_gw1

IMPORTANT: you must have Access Rule to allow traffic inside the new VPN community: azure--virtual_wan_RG--my-vwan--eastus--branch_gw1

The Check Point Integration Tool creates a new VPN connection in this way:

If an Azure Resource Group does not exist yet, the Integration Tool creates it.
If an Azure Virtual WAN does not exist yet, the Integration Tool creates it.
If an Azure Virtual Hub does not exist yet, the Integration Tool creates it.
If an Azure VPN Site does not exist yet, the Integration Tool creates it.
The Integration Tool associates the VPN Site and Virtual Hub.
If an Azure Virtual Hub is not used by an existing VPN connection, the Integration Tool creates two Interoperable device objects to represent the Azure Virtual Hub (two VPN gateways).
The Integration Tool creates a VPN Community to represent the new VPN connection.
The Integration Tool configures numbered VTI, VPN and BGP on the on-premises Check Point Security Gateway.
Check Point Security Gateway establishes two different VPN tunnels (Active-Active mode) to the two Microsoft Azure VPN gateways. (This is the design on Microsoft Azure Virtual WAN.)

Step 5: Configuring the Settings in SmartConsole

Step	Description
1	Connect with SmartConsole to the Management Server.
2	Click Security Policies from the navigation panel.
3	Click the + tab. The Manage Policies tab opens.
4	Open the applicable policy for the on-premises Security Gateway.
5	In the Access Control section, click Policy.
6	Add a new explicit rule to allow the traffic in the new VPN Community (see the example diagram): Source - Applicable objects that represent the encryption domain behind the on-premises Security Gateway Destination - Applicable objects that represent vNETs behind the Microsoft Azure Virtual Hub VPN - The new VPN Community (see the output of the `azure_vwan add-connection` command) Services & Applications - Applicable service objects Action - Accept Install On - On-premises Security Gateway object
7	Publish the session.
8	Install the Access Control Policy on the on-premises Security Gateway object.

Step 6: Verifying the VPN Configuration and Tunnels

On Check Point Management Server

Check Point Management Server - on CLI:

Step	Description
1	Connect to the command line on the Management Server.
2	Log in to the Expert mode.
3	Show the VPN configuration and VPN connections: `[Expert@MGMT:0]# azure_vwan show-connections` Note -For more information, run the `azure_vwan show-connections -h` command.

Step

Description

Connect to the command line on the Management Server.

Show the VPN configuration and VPN connections:

[Expert@MGMT:0]# azure_vwan show-connections

Note -For more information, run the azure_vwan show-connections -h command.

Example output of the 'azure_vwan show-connections' command:

[Expert@MyMgmt:0]# azure_vwan show-connections

Microsoft Azure Virtual WAN Check Point integration tool [Version 1.01 (EA)]

Check Point Software Technologies LTD.

Retrieving VPN connections

========================================

VPN Connection #1:

Connection ID : 780a6a48dfc40008ba759f52ba74b88a

Azure :

Resource Group name : virtual_wan_RG

Virtual WAN name : my-vwan

Virtual Hub name : my-vwan--eastus

Virtual Hub location : eastus

VPN Site name : branch_gw1--my-vwan--mgmt

VPN Site location : eastus

Check Point:

Gateway name : branch_gw1

VPN community name : azure--virtual_wan_RG--my-vwan--eastus--branch_gw1

Interoperable device #1 : azure-virtual_-myvwa-eastus_Dt0

Interoperable device #2 : azure-virtual_-myvwa-eastus_5jg

========================================

Check Point Management Server - in SmartConsole:

Step	Description
1	Connect with SmartConsole to the Management Server.
2	From the top, click Objects menu > Object Explorer.
3	From the left tree, open Categories > VPN Communities. Make sure there are two VPN Community objects as the `azure_vwan show-connections` command showed. Open the applicable VPN Community objects. Make sure the Center Gateways section shows the Interoperable Device objects as the `azure_vwan show-connections` command showed. Make sure the Satellite Gateways section shows the on-premises Security Gateway object as the `azure_vwan show-connections` command showed.
4	From the left navigation panel, click Gateways & Servers.
5	In the top pane, select the Security Gateway object.
6	In the bottom pane click the Summary tab and at the bottom click Device & License information.
7	From the left tree, click Device Status and in the IPSec VPN section, click the > arrow.
8	From the left tree, click System Counters. Examine the VPN counters. Examine the VPN History counters.
9	From the left tree, click Traffic: Examine the Top Tunnels information.

Naming convention:

The Check Point Integration Tool for Microsoft Azure Virtual WAN uses this naming convention to Step 5: Configuring the Settings in SmartConsole:

Item	Naming convention
Virtual Hub name	[Virtual WAN name]`--`[Virtual Hub location]
VPN Site name	[Gateway object name]`--`[Virtual WAN name]`--`[Management Server Hostname]
VPN community name	[Azure "controller" name]`--`[Resource Group name]`--`[Virtual WAN name]`--`[VPN Site location]`--`[Gateway object name]
Interoperable device name	[First letters of Azure "controller" name]`-`[First letters of Resource Group Name]`_-`[First letters of Virtual WAN name]`-`[First letters of VPN Site location]`_`[3 random characters]

For more information, see the output of the azure_vwan show-config command.

On Check Point Security Gateway

Step	Description
1	Connect to the command line on the Security Gateway.
2	Log in to the Gaia Clish.
3	Examine the configuration of the new VPN tunnels: `show configuration vpnt` Make sure the output shows the two new VPN tunnels. Example output: add vpn tunnel 2004 type numbered local 169.168.254.205 remote 10.0.13.4 peer vwanrgaut-vWanauto-eastus_NS6 add vpn tunnel 2005 type numbered local 169.168.254.205 remote 10.0.13.5 peer vwanrgaut-vWanauto-eastus_mIw
4	Examine the configuration of the new VTI interfaces: `show interface vpnt<`Tunnel_Number`>` There must be two new numbered VPN tunnels. Example output: state on mac-addr Not configured type vpnt link-state not available mtu 1500 auto-negotiation Not configured speed N/A ipv6-autoconfig Not configured duplex N/A monitor-mode Not configured link-speed Not configured comments vpn-tunnel-id 2000 vpn-peer prod-myvw-myWan-manual-eastus_AAA vpn-local-address 169.168.254.208 vpn-remote-address 10.0.8.5 ipv4-address Not Configured ipv6-address Not Configured ipv6-local-link-address Not Configured Statistics: TX bytes:180 packets:3 errors:0 dropped:0 overruns:0 carrier:0 RX bytes:12590 packets:260 errors:0 dropped:0 overruns:0 frame:0
5	Examine the list of the established VPN tunnels: `show vpn tunnels` Example output: Interface: vpnt2004 Local IP: 169.168.254.205 Peer Name: vwanrgaut-vWanauto-eastus_NS6 Remote IP: 10.0.13.4 Interface type: numbered Interface: vpnt2005 Local IP: 169.168.254.205 Peer Name: vwanrgaut-vWanauto-eastus_mIw Remote IP: 10.0.13.5 Interface type: numbered
6	Examine the parameters of the established VPN tunnels: `vpn tu list` Make sure the Out SPI field is not empty. Example output: +------------------------------------------+-----------------------+---------------------+ \| Peer: 104.45.186.118 - vwanrgaut-vWana...\| MSA: ffffc2004150d178 \| i: 1 ref: 2 \| \| Methods: ESP Tunnel PFS AES-128 SHA1 g...\| \| \| \| My TS: 169.168.254.205 \| \| \| \| Peer TS: 10.0.13.0 \| \| \| \| MSPI: 3 (i: 1) \| Out SPI: 7f1cc83c \| \| +------------------------------------------+-----------------------+---------------------+ \| Peer: 104.45.186.118 - vwanrgaut-vWana...\| MSA: ffffc2004150d2c0 \| i: 1 ref: 2 \| \| Methods: ESP Tunnel PFS AES-128 SHA1 g...\| \| \| \| My TS: 169.168.254.205 \| \| \| \| Peer TS: 10.0.13.4 \| \| \| \| MSPI: 4 (i: 1) \| Out SPI: f2562f18 \| \| +------------------------------------------+-----------------------+---------------------+
7	Examine the BGP summary: `show bgp summary` Example output: Routing Process BGP State is on Local Autonomous System is 65105 Default Weight is 0 BGP Route Rank is 170 ECMP is off IGP Synchronization is off
8	Examine the BGP peers: `show bgp peers` Make sure the State column shows Established for Microsoft Azure peers. Example output: PeerID AS Routes ActRts State InUpds OutUpds Uptime 10.0.13.4 65515 2 1 Established 3 3 00:00:29 10.0.13.5 65515 2 0 Established 5 6 00:06:22
9	Examine the BGP paths: `show bgp paths` Example output: AS Path (AS Plain Notation): IGP.(Id-1) Nexthop: 0.0.0.0 LocalAS: 65105 NeighborAS: 0 Refs: 1 Ases: 0 Segments: 0 Overhead: 96 AS Path (AS Plain Notation): IGP.(Id-2) Nexthop: 0.0.0.0 LocalAS: 65105 NeighborAS: 0 Refs: 13 Ases: 0 Segments: 0 Overhead: 96 AS Path (AS Plain Notation): (65105),65515,IGP.(Id-4) Nexthop: 10.0.13.5 LocalAS: 65105 NeighborAS: 65515 Refs: 4 Ases: 1 Segments: 1 Overhead: 102 AS Path (AS Plain Notation): (65105),65515,IGP.(Id-5) Nexthop: 10.0.13.4 LocalAS: 65105 NeighborAS: 65515 Refs: 4 Ases: 1 Segments: 1 Overhead: 10
10	Examine the routing table: `show route` Make sure the output shows the applicable BGP routes through the new VTI interfaces.
11	Examine the configuration of the routemaps: `show configuration routemaps` Example output: set routemap hub-in id 10 on set routemap hub-in id 10 allow set routemap hub-out id 10 on set routemap hub-out id 10 allow set routemap hub-out id 20 on set routemap hub-out id 20 allow set routemap hub-out id 20 match protocol static set routemap hub-out id 30 on set routemap hub-out id 30 allow set routemap hub-out id 30 match protocol direct Example BGP commands that use these routemaps: set bgp external remote-as 65515 peer 10.0.13.4 import-routemap hub-in preference 10 on set bgp external remote-as 65515 peer 10.0.13.5 import-routemap hub-in preference 10 on set bgp external remote-as 65515 peer 10.0.13.4 export-routemap hub-out preference 10 on set bgp external remote-as 65515 peer 10.0.13.5 export-routemap hub-out preference 10 on
12	Examine the routemaps: `show routemaps` Example output: Routemap : "hub-in" Id : 10 [permit] Match Conditions: Match All Routes Actions: Routemap : "hub-out" Id : 10 [permit] Match Conditions: Match All Routes Actions: Id : 20 [permit] Match Conditions: Protocol : static Actions: Id : 30 [permit] Match Conditions: Protocol : direct Actions:
131	Verify that BGP paths are propagated: `show bgp peers advertise` Example output: BGP Neighbor 10.0.13.4 eBGP (AS 65515) IPv4 Route MED LocalPref Nexthop Communities 0.0.0.0/0 0 N/A (eBGP) 169.168.254.205 10.0.13.4/32 0 N/A (eBGP) 169.168.254.205 10.0.13.5/32 0 N/A (eBGP) 169.168.254.205 10.0.13/24 0 N/A (eBGP) 169.168.254.205 23.96.105.22/32 0 N/A (eBGP) 169.168.254.205 168.63.129.16/32 0 N/A (eBGP) 169.168.254.205 169.168.254.205/32 0 N/A (eBGP) 169.168.254.205 169.254.169.254/32 0 N/A (eBGP) 169.168.254.205 172.26.1/24 0 N/A (eBGP) 169.168.254.205 172.26/24 0 N/A (eBGP) 169.168.254.205 BGP Neighbor 10.0.13.5 eBGP (AS 65515) IPv4 Route MED LocalPref Nexthop Communities 0.0.0.0/0 0 N/A (eBGP) 169.168.254.205 10.0.13.4/32 0 N/A (eBGP) 169.168.254.205 10.0.13.5/32 0 N/A (eBGP) 169.168.254.205 10.0.13/24 0 N/A (eBGP) 169.168.254.205 23.96.105.22/32 0 N/A (eBGP) 169.168.254.205 168.63.129.16/32 0 N/A (eBGP) 169.168.254.205 169.168.254.205/32 0 N/A (eBGP) 169.168.254.205 169.254.169.254/32 0 N/A (eBGP) 169.168.254.205 172.26.1/24 0 N/A (eBGP) 169.168.254.205 172.26/24 0 N/A (eBGP) 169.168.254.205

In Azure Gaia Portal

Step	Description
1	Connect to the Microsoft Azure portal.
2	Search for Virtual WANs in the search box at the top of the Azure portal. Click Virtual WANs to open the page.
3	From the left tree, click Overview and examine the new Hub information.
4	From the left tree, in the Virtual WAN architecture section, click Hubs and examine the new Hub information.
5	From the left tree, in the Virtual WAN architecture section, click VPN sites . Make sure the status for a connection between the VPN Site and the Virtual Hub is "Connected".

For more information, see the Virtual WAN Documentation.

Step 7: Deleting the Existing VPN Connection

When applicable, you can delete the existing VPN connection with Microsoft Azure Virtual WAN:

Step	Description
1	In SmartConsole, delete the explicit Access Control rule for the applicable VPN Community and publish the session.
2	Connect to the command line to the Management Server.
3	Log in to the Expert mode.
4	Examine the current VPN configuration: `[Expert@MGMT:0]# azure_vwan show-connections`
5	Delete the existing VPN configuration: `[Expert@MGMT:0]# azure_vwan delete-connection -id "<`Connection-ID`>"` Note - For more information, run the `azure_vwan delete-connection -h` command.
6	Install the Access Control Policy on the on-premises Security Gateway.

Example output of the 'azure_vwan delete-connection' command:

[Expert@MyMgmt:0]# azure_vwan delete-connection -id "cdc4342dfdda0920a8420591aac29d56"

Microsoft Azure Virtual WAN Check Point integration tool [Version 1.01 (EA)]

Check Point Software Technologies LTD.

Retrieving connection details

Deleting VPN connection: cdc4342dfdda0920a8420591aac29d56

Deleting Azure Hub to Site association (vpnConnection)

Azure Hub to Site association deleted

Deleting Azure VPN Site

Azure VPN Site deleted

Updating Check Point Security Management Server object & Gateway configurations

Connection deleted successfully!

NOTE: Resource Group, Virtual Hub & Virtual WAN were not deleted

IMPORTANT: For changes to take effect you must install policy on:

Gateway: branch_gw1

The Check Point Integration Tool deletes an existing VPN connection in this way:

The Integration Tool disassociates the VPN Site and Virtual Hub.
The Integration Tool deletes the Azure VPN Site.

This step applies only if there are no VPN connections from other Virtual Hubs to this the Azure VPN Site.
The Integration Tool deletes the two Interoperable devices that represent the Azure Virtual Hub (two VPN gateways).

This step applies only if another branch does not use this Azure Virtual Hub.
The Integration Tool deletes the VPN Community that represents the VPN connection.
The Integration Tool deletes the VPN tunnels and BGP peers on the on-premises Check Point Security Gateway.
The Integration Tool does not delete:
- The Azure Resource Group.
- Azure Virtual WAN.
- Azure Virtual Hub.