Adding a New Branch Site

Check Point creates the back-end architecture to tunnel the traffic from the branch device to the internet.

To connect a branch office to the large network and successfully manage its security, you must create a site that represents this branch office SD-WAN Software-Defined Wide Area Network - A virtual WAN architecture that allows enterprises to leverage any combination of transport services – including MPLS, LTE and broadband internet services – to securely connect users to applications. device, and then route its traffic to the network through Harmony Connect.

To add a new site:

1. From the Assets menu, click Branches & Data Centers.

2. Click + Add.

   The Add Branch Office Site wizard appears.

3. Click Branch Office and click Next.

4. Enter this information in the General step and then click Next:

   1. Name - A name for the Site.

   2. Comments - (Optional) Description of the site.

   3. Branch Office Gateway Type - Select a SD-WAN device. If your SD-WAN device is not listed, select Generic Router / SD-WAN.

   4. Number of users (Estimation) - The estimated number of users in the branch office. This helps Check Point optimize its cloud An administrator approved Harmony Connect cloud location that processes the internet and corporate traffic. services.

5. Enter this information in the Connection Details step and then click Next:

   1. External IP Addresses - Select Dynamic IP Address or Static IP Address, and then enter one or more Usernames (FQDN) or device's external IP addresses.

      Notes: For the purpose of this guide, we select Static IP Address for the Site. If you have more than one external network interface, use Add another external IP address or Add another Interface Identifier. To secure all the traffic, Check Point recommends to add all your external IP addresses.

   2. Copy the Shared Secret and store in a safe location.

   3. If you want to monitor the tunnel connection status using Dead Peer Detection (DPD Dead Peer Detection (DPD) is a method of detecting a dead Internet Key Exchange (IKE) peer. The method uses IPsec traffic patterns to minimize the number of messages required to confirm the availability of a peer.), select the Enable Tunnel Status checkbox. If you do not select the checkbox, the system queries the subnets for the traffic and updates the status accordingly.

      Note - DPD is not supported for Dynamic IP Address.

6. In the Internal Sub-networks step, enter the subnet addresses of your internal networks in the branch office site.

   Note - Ensure that the subnet addresses are not in the range 100.64.0.1-100.127.255.254.

   Check Point Harmony Connect applies its cyber security features to all traffic coming from these network addresses.

7. Click Next.

8. In the Location step, enter this information:

   • Site Address - Physical location of the branch office.

     This field is an option to show your site on the world map.

   • Location of the cloud service - Location of the service for this connection. Select from the list of options.

     Best Practice - Harmony Connect inspects traffic from your branch office to the internet with a cloud service that resides in one of these locations. To achieve the best performance, you typically select the location of the cloud service that is closest to the location of your site. For some countries, most notably in South America or the Middle East, the best choice for Location of the cloud service might be presence of a strong cross-country internet link.

9. Click Next.

   The Confirm Site Creation page appears.

10. Review the site details. To modify site details, click Back. Otherwise, click Finish and Create Site.

    It takes several minutes to create the site.

    The new site widget appears in the list of the sites, with the status Generating Site. The status changes to Waiting for traffic when the site is ready.

    

    If you have selected the Enable Tunnel Status checkbox, then the widget shows the status of the tunnel.

    Optionally, you can view tunnel metrics on the widget. To enable this feature, contact Check Point Support.

    

    The tunnel metrics shows:

    • Active - Number of active tunnels.

    • Cloud Peers - Number of gateways available in the location for this site.

    • Local Peers - Actual number of SDWANs or interfaces (branch identifiers) in this site.

      This table show the tunnel status and its description when the metrics feature is enabled or disabled.

      Tunnel Status	Description
      	When Tunnel Metrics feature is enabled	When Tunnel Metrics feature is not enabled
      Active	Tunnel status is enabled and at least one tunnel is active.	Site has received traffic, tunnels are online.
      Warning	NA	Some tunnels are inactive or are not started.
      Waiting for traffic	Site is ready, waiting for tunnel traffic.
      Error	Active tunnels are now inactive.

11. To view the list of events in the site, click Show Tunnel Status.

    

12. Continue with Connecting an SD-WAN Branch Office Device with Harmony Connect.

Note - To create many sites automatically you can use the API Keys. Any change in the User Interface can be automated through API. For more information, see the Check Point API Reference.