(Optional) Configure Site-to-Site VPN

  1. Create a Network Group object to represent the encryption domain of the clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing.:

    1. In SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on., click the Objects menu > Object Explorer.

    2. From the top toolbar, click New > Network Group.

    3. In the Enter Object Name field, enter the desired name.

    4. Click the + icon and select the applicable network objects.

    5. Click OK.

    6. Close the Object Explorer.

  2. Edit the cluster object:

    1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

    2. Double-click the cluster object.

      The Gateway Cluster Properties window opens.

  3. Define your Network Group as the encryption domain of the cluster object:

    1. In SmartConsole, from the left navigation panel, click Gateways & Servers.

    2. Double-click the cluster object.

      The Gateway Cluster Properties window opens.

    3. In the cluster object left tree, click Network Management > VPN Domain.

    4. Select Manually defined.

    5. In the right corner of this field, click the [...] button and select the Network Group object you created in Step 1.

  4. Define the VPN community:

    1. In the cluster object left tree, click IPsec VPN.

    2. In the section This Security Gateway participates in the following VPN Communities, select the applicable VPN community.

  5. Define the outgoing VPN interface:

    1. In the cluster object left tree, click IPsec VPN > Link > Selection.

    2. In the IP Selection by Remote Peer section, select Always use this IP address > Statically NATed IP, and then enter the cluster's public IP address.

    3. In the Outgoing Route Selection section:

      1. Click Source IP address settings.

      2. Select Manual.

      3. Choose Selected address from topology table.

      4. Select the private IP address of the external interface of the cluster.

      5. Click OK.

      6. In the Tracking section, select the desired option.

      7. Click OK to close the Gateway Cluster Properties window.

  6. Configure the VPN Community to use Permanent Tunnels:

    1. In SmartConsole, click the Objects menu > Object Explorer.

    2. In the left tree, clear all boxes except for VPN Communities.

    3. Double-click the VPN community, in which this cluster object participates.

      The VPN Community window shows.

    4. In the left tree, click Tunnel Management.

    5. Select Set Permanent Tunnels.

    6. Select the applicable option.

    7. Click OK to close the VPN Community properties window.

    8. Close the Object Explorer.

  7. Install the applicable Access Control Policy on the cluster object.