Configuring a Check Point SMB
After you create the site at Check Point Harmony Connect, on this site you must configure your branch office to route traffic through Harmony Connect.
Check Point creates the back-end architecture for tunneling the traffic from the branch device to the Internet.
|
Notes:
|
To configure your branch device:
-
On the site thumbnail, click the Configure branch device button.
The Instructions window opens.
-
From the top field, select your SD-WAN branch office device.
-
Follow the instructions on the screen to get the IPsec configuration properties, pre-shared key, tunnel addresses, and the traffic routes.
-
Click Close.
Configuring Web Management Service for Check Point SMB
To configure IPsec tunnels from the Check Point SMB, perform these steps:
-
Log into your Check Point SMB portal.
-
Create and configure two Check Point IPsec Tunnels and route the traffic through the tunnels. See Configuring your Device for SMB.
-
Test your configuration. See Testing your configuration.
Note - If you use the cloud SMP (Security Management Portal), you can create an SMBPlan that consists of all the branch devices connected with Check Point Harmony Connect to unify the device traffic logs. Other configurations are only available when you connect directly to each device.
Procedure:
-
Get the IP address of the IPsec tunnel
Check Point IPsec tunnel addresses are FQDN domains. For an SMB you need the IP address of the tunnel.
Use the tunnel destination addresses and run these commands:
nslookup <tunnel 1 address>
nslookup <tunnel 2 address>
Use these IP addresses in the next step.
-
Specify the subnets of your device
-
On the Infinity Portal click Site > View.
-
On your SMB device log in to the web user interface.
-
Navigate to Device > Routes.
Example:
-
In the Site Details window select is Internal sub-networks.
Example:
-
Make sure that each internal sub-network from the list of internal sub-networks is defined at one of these parameters:
-
The LAN subnets.
To verify, navigate to Device > Local Network.
-
The Wireless subnet.
To verify, navigate to Device > Wireless.
-
Subnets configured for users connecting to the Check PointSMB through VPN.
To verify, navigate to VPN > Remote Access > Advanced and scroll to Office Mode.
Example:
-
-
-
Configure Advanced Settings
-
Go to Advanced > Advanced Settings.
-
Edit the VPN Site to Site global settings - Do not encrypt connections originating from the local gateway and set it to true.
-
Edit VPN Site to Site global settings - Perform Tunnel Tests using an internal IP address and set it to true.
-
-
Enable VPN
-
Go to VPN > Site to Site > Blade Control.
-
Make sure that Site to Site VPN is set to On.
Note - Changes will only apply in case your SMB has active VPN Sites. We will define the VPN sites in the next step.
-
-
Create IPsec tunnel
-
Log into your SMB device web user interface.
-
Go to VPN > Site to Site > VPN sites.
Example:
-
Click on New...
A pop-up dialog opens.
-
On the Remote Site tab, set these parameters.
Example:
-
Name must be an alias for this tunnel. In this case, Check-Point-tunnel-1.
-
Connection Type must be Load sharing.
-
Add the IP addresses of the Check Point tunnels you configured in Step 1 to the IPv4 Address list. Both tunnels must be On one of these tunnels must be set to primary.
-
Preshared secret must be checked.
-
Password for the PreShared Secret must be set to the pre-shared key configured at the site instructions. See Creating a New Site.
Re-enter the Password in the Confirm box.
-
In the Remote Site Encryption Domain section, set Encryption Domain to Route all traffic through this site.
-
-
Click Apply.
Changes are applied immediately.
-
Go to VPN > Site to Site > VPN Tunnels.
Wait for the tunnel to come up.
-
To test the Harmony Connect configuration, you must check its activity on your branch device.
Note - To test the functionality of the connection established with the host behind the SMB device, Check Point Harmony Connect provides IP addresses inside the cloud tunnel network. Use the test IP addresses from the site instructions. |
To test the Harmony Connect configuration:
-
Connect to the host behind the SMB device.
-
To test the first tunnel, run this command:
ping <test IP address from the site instructions>
-
To test the first tunnel, run this command:
ping <test IP address from the site instructions>
-
Save the changes.
Connect your local Check Point Gateway to Harmony Connect through dedicated 2 IPSec tunnels that you create.
Now you can monitor the Cybersecurity Events at the Check Point Infinity Portal. See Monitoring Cybersecurity Events.