VeloCloud Version 3.x and Lower

These procedures are for versions of VeloCloud prior to version 4.0.

To establish connection through Check Point, you must attach the new IPsec tunnels to the SD-WAN on your Site.

To configure VeloCloud on your SD-WAN Device:

  1. Integrate with Check Point through the two Check PointIPsec Tunnels that you created and configured on the VeloCloud Orchestrator.

    See Configuring VeloCloud Orchestrator.

  2. Go back to the Check Point Infinity Portal and edit the site. Update the random external IP addresses with the real IP addresses that VeloCloud provided.

    SeeUpdating the IP Address at Check PointInfinity Portal.

  3. Route the traffic from your branch office to Check PointHarmony Connect and test your configuration.

    See Routing the Traffic through the Check PointHarmony Connect IPsec Tunnels.

  4. Test your configuration.

    See Testing the VeloCloud Configuration.

Configuring VeloCloud Orchestrator

To establish connection through Check Point, you must configure two new IPsec tunnels from the SD-WAN on your Site, and then route the traffic from your branch office to Check Point Harmony Connect.

In VeloCloud terminology it means to create a non VeloCloud site.

To create a WAN Edge IPsec tunnel:

  1. From the SD-WAN VeloCloud Orchestrator user interface, go to Configure > Network Services.

    Example:

  2. Scroll down to Non-VeloCloud Sites.

    The Add or Edit CheckPoint_IPSec pop-up window opens.

  3. Click New.

    A New Non-VeloCloud Site pop-up window opens.

    Example:

  4. Edit these parameters:

    • Name must be an alias for this tunnel. In this case, to_check_point.

    • Type must be set to Generic IKEv1 Router (route based).

    • Primary VPN Gateway must be set to current IP address of your first tunnel.

      See Configuring SD-WAN Device.

    • Secondary VPN Gateway must be set to current IP address of your second tunnel.

      See Configuring SD-WAN Device.

  5. Click Next.

  6. Configure additional settings.

    • Enable Tunnel(s) must be checked.

    • Authentication must be set to None.

    • Disable Site Subnets must be checked. It indicates that the Internes access is protected by Check Point.

    Example:

  7. Click Save Changes.

  8. Click Advanced.

    The Advanced window opens.

    Example:

  9. Configure the advanced settings for the Check Point Service.

    • Set the Tunnel Settings for Primary VPN Gateway:

      • PSK must be set to Pre-Shared Key. See Configuring SD-WAN Device.

      • Encryption must be set to AES 256.

      • DH Group should be set to 2.

      • FPS must be set to disabled.


    • Set the Tunnel Settings for Secondary VPN Gateway:

      • PSK must be set to the Pre-Shared Key from the Check Point instructions at the previous steps.

      • Encryption must be set to AES 256.

      • DH Group must be set to 2.

      • FPS must be set to disabled.

    Best Practice - The Redundant VeloCloud Cloud VPN option must be selected.

  10. Click Save Changes.

  11. Extract VeloCloudgateway IP addresses from the configuration template.

    Note - You will use this IP addresses in these steps as an external IP addresses for integration with Harmony Connect.

    1. Click View IKE/IPsec Template and view your created settings in the command-line description.

    2. Go to Tunnel Interface > Outside IP Addresses > SD-WAN Gateway.

    3. Copy the IP addresses of the VeloCloud Gateway and use them in the Check Point Infinity Portal in the next configuration steps.

      Example:

      Note - In real environments, the highlighted IP addresses are two different IP addresses.

  12. Click Close.

  13. Activate the Check Point Site at VeloCloud Orchestrator.

    1. In VeloCloud Orchestrator user interface, go to Configure > Profiles.

    2. On Device tab, click Profiles

    3. Select the profile you want to connect to Check PointHarmony Connect.

    4. Go to Device > Cloud VPN > Branch to non-VeloCloud Site.

    5. Select the Check Point Non-VeloCloud Site that you configured in the previous sections and edit these parameters:

      • Enable must be checked.

      • Cloud VPN must be checked.

      Example:

    6. Click Save Changes.

Updating the IP Address at Check PointInfinity Portal

To update the IP addresses of the VeloCloudGateway in the Check PointInfinity Portal:

  1. Go back to Check PointInfinity Portal.

  2. Go to Sites and select a site you want to connect.

  3. Click Edit Site on your Check Point Site.

    Example:

  4. Go to Connection Details > External IP Addresses.

  5. Set the External IP Addresses to the VeloCloudGateway IP Address (see Configuring VeloCloud Orchestrator - Extract VeloCloudgateway IP addresses from the configuration template.).

    Example:

  6. Click Apply.

    Note - It can take several minutes for Check Point to update the external IP addresses of the site.

  7. Test the Tunnel Status.

    1. Go to Monitor > Network Services > Non-VeloCloud Sites.

    2. Locate your Check Point tunnels and make sure that they are up. They must show the amount of traffic that is sent and received. Both tunnels must be connected and show up as green.

      Note - It can take significant time to apply the changes and represent the current status.

      • Green- Connected

      • Red - Disconnected

      Example:

      Note - In this example, primary tunnel is connected / established, while the secondary tunnel is disconnected.

    3. Optional: In the Events column, click View next to the relevant tunnel status and view the events.

      Example:

Routing the Traffic through the Check PointHarmony Connect IPsec Tunnels

You must define routes for the traffic from your branch office IPsec tunnels to Check Point Harmony Connect.

To define routes for the traffic from your branch office to Check PointHarmony Connect:

  1. On the VeloCloud Orchestrator user interface, go to Configure > Profiles.

  2. Select the Profile configured for the VeloCloud Edges.

  3. Go to Business Policy > New Rule.

    Example:

  4. Configure the Business Policy Rule.

    • Name must be a short description of the rule, such as "Traffic to Check Point".

    • Destination must be set to Internet or scroll down to the Action section.

    • Network Service must be set to Internet Backhaul.

    • Non-VeloCloud Site must be selected.

    • Non-VeloCloud Site must be selected and set for the Check Point Site that you defined in the previous steps.

    • NAT must be disabled.

    Example:

  5. Click OK.

    Example:

  6. Click Save Changes.

Testing the VeloCloud Configuration

To work with the VeloCloud configuration, you must check its activity on your branch office device.

To test the overall configuration at VeloCloud Orchestrator:

  1. Route the traffic from behind your Site to the Internet and test the browsing function.

  2. Go to Monitor > Edges.

  3. Click the Edge that sends the traffic.

  4. Locate your Check Point tunnels and make sure that they are up. They must show the amount of traffic that is sent and received.

Now you can go to the Check Point Infinity Portal and monitor Cybersecurity Events. See Monitoring Cybersecurity Events.