Configuring the SD-WAN Device

When you create the site at Check Point Harmony Connect, on this site you must configure your branch office to route traffic through Harmony Connect.

Check Point creates the back-end architecture for tunneling the traffic from the branch device to the Internet.

Example:

To configure your branch device:

  1. On the site thumbnail, click the Configure branch device button:

    The Instructions window opens.

  2. From the top field, select your SD-WAN branch office device.

  3. Follow the instructions on the screen to get the IPsec configuration properties, pre-shared key, tunnel addresses, and the traffic routes.

    Example:

    Best Practice - To enhance the service reliability Check Point recommends you to create and use two tunnels.

  4. Click Close.

Configuring Versa on the Edge Device

You can route the incoming and outgoing traffic through IPsec tunnels from a Versa device to the Check Point Harmony Connect security service.

Through the IPsec you can enable Check Point security from your Versa management dashboard.

Steps to configure Versa SD-WAN:

  1. Creating the First IPsec Check Point Tunnel

  2. Creating the Second IPsec Check Point Tunnel

  3. Creating a New Tunnel Monitoring Interface

  4. Testing your Configuration

Prerequisites

  • DNS Server

    Check Point uses FQDN addresses for its cloud tunnels. To access the Check Point domains you must configure your Versa device to use DNS server.

To create FQDN Tunnels for integration with Versa:

  1. Go to Other > System > Configuration > Configuration.

  2. Add DNS servers to resolve these FQDN names.

    Example:

Creating IPsec Check Point Tunnels

To establish connection through Check Point, you must attach the new CP-Tunnel tunnels to the SD-WAN on your Site.

Creating the First IPsec Check Point Tunnel

Note - A WAN IPsec Interface Name must have a suffix of _1.

To create the first IPsec tunnel:

  1. Go to Configuration page > Object tab > Address and click [+].

    Example:

  2. In the Edit Address window enter these parameters:

    Name - CP-Tunnel1

    Description (Optional)

    Type - FQDN

    FQDN - Enter the FQDN parameter configured on the Harmony Connect Site. SeeCreating a New Site .

    Example:

  3. Go to Other > System > Configuration > Configuration and click Name Server.

    Example:

  4. In the Edit Name Server window add the DNS servers to resolve these FQDN names.

    Example:

  5. Create a new IPsec tunnel interface.

    1. Go to Networking > Interfaces >Tunnel

      Example:

    2. In the Edit Tunnel Interface window set the IPV4 to an internal sub-network that is not used by your site (for example: 172.16.1.1/24).

      Example:

Creating the Second IPsec Check Point Tunnel

Note - A WAN Edge IPsec Interface name must have a suffix of _2.

Repeat Steps 3-5 to create the second IPsec tunnel.

Name - Set to CP-Tunnel2.

Testing the IPsec Check Point Tunnels Configuration

To test the IPsec Check Point tunnels configuration perform these steps:

  1. Add routes to both IPsec tunnels.

  2. Set Site-to-Site IPsec VPN.

  3. Bind the IPsec VPN to your Versa branch device.

  4. Deploy changes.

  5. Test your IPsec configuration

  1. Go to Networking >Virtual routes and open LAN template.

    Example:

  2. In Virtual router details field add the created Check Point tunnel interfaces.

  3. In the Static routing field add the Universal destination address and the Nexthop address.

    Example:

  4. Click OK.

  1. Go to Services > IPSEC > VPN Profiles.

    On the General tab add two profiles that correspond to the two created IPsec tunnels.

    Example:

  2. Go to Services > IPSEC > VPN Profiles.

    On the IKE tab:

    • Make sure that Local Auth section has the IP Address.

    • Make sure that Peer Auth section has FQDN for Peer Auth.

    Example:

  3. Go to Services > IPSEC > VPN Profiles.

    On the IKE tab set the value in the IKE Rekey Time field to 24 hours.

    Example:

    Note - Versa allows maximum 8 hours for IKE rekey. Check Point provides default 24 hours.

  4. Click OK.

  1. Go to Workflows > Devices and click on the applicable Versa FlexVNF SD-WAN device.

  2. Open Bind data tab.

  3. Click on the Serial number of your applicable device.

    The Device window opens.

  4. In the IPsec section enter the IP of your applicable device interface.

  5. Click OK.

    Example:

  1. Click Save.

  2. Commit the template to the Versa Orchestrator.

    The changes are deployed immediately.

On the Versa Orchestrator main window:

  • To monitor IKE: Open the IKE Security Association tab.

    Example:

  • To monitor IPsec: Open the IPsec Security Association tab.

    Example:

  • To monitor the live traffic: Open the Summary tab.

    Example:

Creating a New Tunnel Monitoring Interface

Check Point provides two IPsec tunnels for redundancy and non-stop operation. When one of the Check Point tunnels is down for maintenance, Versa switches to the next Check Point tunnel. The usual switch takes several minutes. The pre-configured Tunnel Monitoring Interfaces for each tunnel ensure Versa a very quick switch (within 5 seconds). It ensures s reliable experience for the end user and an uptime of 99.999%.

Versa Tunnel Monitor Interfaces use test IP addresses that Check Point provides. See the site instructions on the Infinity Portal.

Versa Tunnel Monitor Interfaces connect to the Versa IPsec tunnel interfaces over BGP.

Example:

To configure Versa Monitoring interfaces:

  1. Create new Tunnel Monitoring interfaces.

  2. Connect the new Versa Monitoring Interfaces to the Versa Tunnel Interfaces.

    1. Go to Networking > Interfaces > Tunnel.

    2. In the Edit Tunnel Interface window create two IPsec tunnels.

      Each of these tunnels must have its own unique private IP subnet (for example, 10.0.1.0/24 and 10.0.2.0/24).

      Example:

    3. Click OK.

    4. Click Add to create two tunnels.

      In the Add Tunnel Interface window specify these parameters for the pairs:

      • For Interface tvi-0/201 - Set Paired Interface tvi-0/202

      • For Interface tvi-301 - Set Paired Interface tvi-302

      The tunnel pair is created automatically.

      Example for Interface tvi-0/201:

      		 Example for Interface 301

    5. Click OK.

    6. Edit the automatically created tunnels tvi-0/202 and tvi-302:

      1. In the Interfaces table, click Edit for each paired tunnel.

      2. In the Edit Tunnel Interface window set these parameters for the pairs:

        • For Interface tvi-0/202 - Set Paired Interface tvi-0/201

        • For Interface tvi-302 - Set Paired Interface tvi-301

      Example for Interface tvi-0/202:

      		 Example for Interface tvi-0/302:

    • The Interfaces table with all the paired tunnels configured (example):

    Versa Tunnel Monitor Interfaces connect to the Versa IPsec tunnel interfaces over BGP. For more information see Creating a New Tunnel Monitoring Interface.

    To connect Versa Monitoring Interfaces to Versa Tunnel Interfaces:

    1. Create BGP Instance on Versa Monitoring Interfaces.

    2. Create BGP Instance on Versa Tunnel Interfaces.

    3. Set up route between these two BGP instances through mutual Peer Groups.

    To create a BGP instance on Versa Monitoring Interfaces:

    1. Go to Networking > Virtual Routers.

    2. Create three LAN routes:

      • tvi-0/302.0 - Additional LAN interface compatible with Paired Interfaces tvi-301/302

      • tvi-0/202.0 - Additional LAN interface compatible with Paired Interface tvi-201/202

      • tvi-0/603.0 - LAN Route

    3. Click on the LAN Route in the table to see the virtual route details.

      In the Edit window click on Virtual Router Details > Interface Networks.

    4. Click OK.

      Example:

    5. In the Edit window click on BGP.

      In the Instance ID click on the first row.

      Example:

    6. Click OK.

    7. In the Edit BGP Instance window click on Peer / Group policy tab, select From_ST_Internet_Policy.

    To create a BGP instance on Versa Tunnel Interfaces

    1. Click [book] icon to clone the created policy.

      Example:

      1. In the Add BGP Instance window enter a name for this new policy:

        Name- Set to From_ST_CheckPoint1

      2. Click on the Color ST Routes and enter this name in the Name filed:

        Name- Set to From_ST_CheckPoint1

        Example:

      3. Click OK.

      4. On Action tab set Local Preference to a higher priority number. In this example it is set to 130.

        Note - The number priority ranges in direct relationship to its value.

      5. Click OK.

        Example:

    2. Repeat Step 8 to create the second clone for this policy.

      • Name- Set to From_ST_CheckPoint2

      • Local Preference - Set to 125 (a lower priority number).

    3. Click OK.

      Created BGP connections in the BGP Instance table (example):

    To set up a route from Versa Monitoring Interfaces to Versa Tunnel Interfaces:

    1. Go to Edit BGP Instance > Peer Group tab.

    2. Click [+] to add and configure three groups based on groups created before:

      • ST-Group-1 - based on From_ST_Internet_Policy

      • CP-1 - based on From_ST_CheckPoint1

      • CP-2 - based on From_ST_CheckPoint2

      1. Go to Peer Group > Edit BPG Instance and click [+].

      2. In the Add Peer Group window enter these parameters:

        Name - Set CP-1 / CP-2 / ST-Group-1

        Type - Set EBGP

        Example:

      3. In Neighbors tab - Add Neighbor IP and Peer AS.

        Example:

      4. In Advanced tab - Add Import and select these options:

        • ST-Group-1 - import from From_ST_Internet_Policy

        • CP-1 - import from From_ST_CheckPoint1

        • CP-2 - import from From_ST_CheckPoint2

          Example:

      Created Peer Groups (example):

    3. Configure routes between the Versa.

      1. Go to Edit CheckPoint-1 > Virtual Router Details.

      2. Set Instance Name to CheckPoint-1.

      3. Click OK.

        Repeat Steps a-c for the second route. Set Set Instance Name to CheckPoint-2.

      4. Go to Other >Organization > Limits and open template.

      5. Add to Traffic identification all the interfaces and resources created before.

        Example:

      6. Click OK.

      7. Click Resources:

        Example:

      8. Click OK.

        Go to Networking > IP-SLA > Monitor and create 2 monitors: Monitor-1 and Monitor-2. Click OK.

      9. Go back to Virtual routes. Open first route, create Redistribution policy (To LAN) and add Monitor to it.

        Redistribution Policy Name - Set to TO-LAN

        Example:

      10. Click [+].

      11. In Edit Term window enter Term Name (Static), Protocol

        (Static) and Monitor(1 or 2).

        Example:

      12. Go to Redistribution Policy > Redistribute to BGP field and enter the TO-LAN name.

        Example:

      13. Go to Static Route and click [+] to add a new route.

        Example:

      14. In the Add Static Route window in the Destination field enter: 0.0.0.0/0.

        Example:

    4. Go to BGP and click [+] to add a new BGP Instance.

      Example:

    5. Enter the Instance parameters:

      • Instance ID

      • Local ID

      • Local AS

      Example:

    6. Go to Peer Group tab and click [+] to add a new Peer group.

    7. In the Peer Group window:

      1. Enter these parameters:

        • Name - Set to TO-LAN

        • Type - Set to EBGP

      2. Add Neighbors.

      Example:

    8. Click OK.

    9. Repeat Step 3 to edit the CheckPoint-2 group and add Monitor-2.

    10. Go to Services > IPSEC > VPN Profiles.

    11. Add the Checkpoint-1 and Checkpoint-2 profiles that correspond to the IPsec tunnels.

      Example:

    12. Go to Workflows > Devices and open your device.

    13. Open the Bind data tab.

    14. Open your Device.

      To the IPsec section of your device add the IP of your created interface that is applicable for the IPsec tunnel.

      Example:

    15. Click OK.

    16. Redeploy the changes and commit the template.

      Repeat the procedure in Setting Site-to-Site IPsec VPN.

    You completed the configuration of the tunnels, added them to the Harmony Connect, and routed the traffic through them.

    Testing your Configuration

    To make sure that the traffic from your Versa SD-WAN device passes to the Internet through the Check Point Harmony Connect system, you must check its activity on your branch device.

    After that go to the Check Point Infinity Portal and watch the Cybersecurity Events.

    To test the Versa configuration on your device:

    1. Connect to the Internet from a computer behind your edge device and browse sites.

    2. From Versa Console go to Monitor > Edges.

    3. Click on the Edge that sends the traffic.

    4. Locate your Check Point tunnels and make sure that they are up.

      The tunnels must show the amount of traffic that is sent and received.

      • IKE traffic monitoring:

        Example:

      • IPsec traffic monitoring:

        Example:

      • Live traffic monitoring:

        Example:

      • IP-SLA monitors:

    To test the Versa configuration from the Infinity Portal:

    1. Log into the Check Point Infinity Portal.

      See Creating an Account in the Check Point Infinity Portal.

    2. Go to Harmony Connect > Sites and locate your Site.

    3. Click Menu > Show Instructions and locate the applicable Test IP address.

    4. Use ping for the Test IP address to test this configuration.

      Example:

    You can watch the Cybersecurity Events at the Check Point Infinity Portal. See Monitoring Cybersecurity Events.