Configuring SD-WAN Policy

Configuring SD-WAN Policy

1. Log in to Check Point Infinity Portal.

2. Click the top left Menu > in the section Quantum, click SD-WAN.

3. From the left navigation panel, click Network.

4. In the middle section, click SD-WAN Policy.

   The SD-WAN Policy opens.

   #	Name	Source	Destination	Services & Applications	Behavior	Translated Source (NAT)	Enforcement
   1	...	...	...	...	...	...	...
   2	...	...	...	...	...	...	...
   ...	...	...	...	...	...	...	...

5. From the top toolbar, create a new rule.

6. Optional: In the Name column of the rule, click and enter the applicable text.

7. In the Source column of the rule, click the (+) icon > select the applicable asset objects > click OK.

   See Objects Supported in SD-WAN Policy.

8. In the Destination column of the rule, click the (+) icon > select the applicable asset objects > click OK.

   See Objects Supported in SD-WAN Policy.

   Best Practice - Use Updatable Objects in the "Destination" column of the SD-WAN Policy. This allows matching of application connections on the first packet and most accurate traffic steering.

9. In the Services & Applications column of the rule, click the (+) icon > click Services, Applications > select the applicable objects > click OK.

   See Objects Supported in SD-WAN Policy.

10. In the Behavior column of the rule, click the (+) icon > select the applicable Steering Behavior object > click OK.

    See Configuring Steering Behavior.

    Note - You can select only one Steering Behavior object in a rule. If you select a different object, then it replaces the current object.

11. In the Translated Source (NAT) column of the rule, click the (+) icon > select the applicable NAT Mapping object > click OK.

    See SD-WAN NAT for ISP.

12. In the Enforcement column of the rule, click the (+) icon > select the applicable profile objects > click OK.

    Note - Select the profile you created in Infinity Portal: Step 1 - Configuration in Infinity Portal (On-Premise Management Server) Step 1 - Configuration in Infinity Portal (Smart-1 Cloud)

13. From the top toolbar, click Publish to save the changes.

14. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    

    In the popup window that opens, click Publish & Enforce Policy.

Dynamic Objects in SD-WAN Policy

On 19 August 2024, new predefined Dynamic Objects were added in Infinity Portal in the Quantum SD-WAN service.

These new predefined Dynamic Objects provide more precise traffic matching.

Notes: Support for these new Dynamic Objects is available in these Security Gateway versions: R82 and higher R81.20 Jumbo Hotfix Accumulator Take 79 and higher Quantum Spark R81.10.15 and higher If you configure the SD-WAN Policy with new Dynamic Objects, but your Security Gateway runs a lower version than required, then your Security Gateway converts the new Dynamic Objects to the corresponding Zone objects.

Description of the new Dynamic Objects:

Dynamic Object "My VPN Domain"

The Dynamic Object "My VPN Domain" presents the local VPN Encryption Domain on the Security Gateway that establishes Site to Site VPN tunnels.

Notes: The Dynamic Object "My VPN Domain" also represents the external interface on the Security Gateway that establish Site to Site VPN tunnels. Use the Dynamic Object "My VPN Domain" in SD-WAN rules that use Steering object or type "Overlay - VPN". The Dynamic Object "My VPN Domain" will match traffic between VPN peers (for example, probing in "Overlay - VPN"). No need to create a manual rule for such traffic. The Dynamic Object "My VPN Domain" replaces the Zone object "Private Networks". If you configure the SD-WAN Policy with the Dynamic Object "My VPN Domain", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "My VPN Domain" to the Zone object "Private Networks".

Dynamic Object "Peer VPN Domain"

On the Security Gateway establishes Site to Site VPN tunnels with its VPN peers, the Dynamic Object "Peer VPN Domain" represents one large VPN Encryption Domain of all SD-WAN VPN peers.

Notes: The Dynamic Object "Peer VPN Domain" also represents the external interface on the VPN peer Security Gateways that establish Site to Site VPN tunnels. Use the Dynamic Object "Peer VPN Domain" in SD-WAN rules that use Steering object or type "Overlay - VPN". The Dynamic Object "Peer VPN Domain" will match traffic between VPN peers (for example, probing in "Overlay - VPN"). No need to create a manual rule for such traffic. The Dynamic Object "Peer VPN Domain" replaces the Zone object "Private Networks". If you configure the SD-WAN Policy with the Dynamic Object "Peer VPN Domain", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "Peer VPN Domain" to the Zone object "Private Networks".

Dynamic Object "SD-WAN Internet"

The Dynamic Object "SD-WAN Internet" represents the Internet - ranges of public IP addresses.

Notes: The Dynamic Object "SD-WAN Internet" does not contain these IP addresses: Ranges of reserved IP addresses (private, public, multicast) IP addresses of networks that are connected directly to the Security Gateway Cluster Virtual IP addresses Ranges of IP addresses that are represented by the Dynamic Objects "My VPN Domain" and "Peer VPN Domain" Ranges of public IP addresses, for which there are specific static routes or dynamic routes (on roadmap) Use the Dynamic Object "SD-WAN Internet" in SD-WAN rules that use Steering objects or type "Local Breakout" or "Backhaul" to match outbound traffic. The Dynamic Object "SD-WAN Internet" replaces the Zone object "Public Networks". If you configure the SD-WAN Policy with the Dynamic Object "SD-WAN Internet", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "SD-WAN Internet" to the Zone object "Public Networks". For connections that undergo Destination NAT (such as with Inbound NAT / traffic for Published services), the Dynamic Object "SD-WAN Internet" matches the traffic against the destination IP address after NAT: If the destination IP address after NAT matches the Dynamic Object "SD-WAN Internet" - the connection is matched to that SD-WAN rule If the destination IP address after NAT does not match the Dynamic Object "SD-WAN Internet" (the IP address is private, or belongs to a directly connected network) - the connection is not matched to that SD-WAN rule

Important Notes

• The Zone object "Private Networks" represents all private networks as described in RFC 1918:

  • 10.0.0.0/8

  • 172.16.0.0/15

  • 192.168.0.0/16

• The Zone object "Public Networks" represents all networks other than the private networks that the Zone object "Private Networks" represents.

• If you configure your Quantum SD-WAN service for the first time after 19 August 2024, then the SD-WAN Wizard creates the required predefined SD-WAN Policy rules with the new Dynamic Objects.

• If you already SD-WAN Policy rules with the Zone objects "Private Networks" and "Public Networks":

  • You can continue using these Zone objects.

  • You can configure the SD-WAN Policy again to use the new Dynamic Objects (see the procedures below).

• If ranges of public IP addresses exist inside your networks that are not directly connected to the Security Gateway (but are routed), and these ranges are not represented by the Dynamic Objects "My VPN Domain" and "Peer VPN Domain", then at the top of the SD-WAN Policy create a bypass rule with the Steering of type "Overlay - VPN", so traffic for these ranges does match rules with the Steering of type "Local Breakout".

• To match "Overlay - VPN" traffic with Overlay rules, configure this rule:

  Source	Destination	Services & Applications	Behavior
  My VPN Domain Peer VPN Domain	Peer VPN Domain My VPN Domain	Any	Default overlay

  If in a Star VPN Community there are Center Gateways / Hub Gateways that route traffic between Spokes, then make sure to configure a rule for traffic from "Peer VPN Domain" to "Peer VPN Domain".

Follow the applicable procedure below to get the new predefined Dynamic Objects in the SD-WAN Policy:

Add the new predefined Dynamic Objects without changing the existing SD-WAN Policy rules

If you configured your Quantum SD-WAN service for the first time before 19 August 2024, then follow these steps to see the new predefined Dynamic Objects:

1. From the left navigation panel, click Network.

2. In the middle panel, click Getting Started.

3. In the Configure SD-WAN section, click Open Wizard.

4. In this popup window, click OK:

   SD-WAN rules already exist. If you will choose to create new rules via the wizard, upon completion we recommend reviewing the SD-WAN policy to make sure the new rules aren't overlapping.

5. Wait for 15 seconds.

6. In the top right corner of the SD-WAN Setup window, click X to close it.

You can now select the new Dynamic Objects in the SD-WAN Policy.

Add the new predefined Dynamic Objects in addition to the existing SD-WAN Policy rules

If you configured your Quantum SD-WAN service for the first time before 19 August 2024, then follow these steps to add the new predefined Dynamic Objects:

1. Note the number of the last SD-WAN rule.

2. From the left navigation panel, click Network.

3. In the middle panel, click Getting Started.

4. In the Configure SD-WAN section, click Open Wizard.

5. In this popup window, click OK:

   SD-WAN rules already exist. If you will choose to create new rules via the wizard, upon completion we recommend reviewing the SD-WAN policy to make sure the new rules aren't overlapping.

6. Follow through this SD-WAN Wizard.

   See Step 4 - SD-WAN Wizard.

   The SD-WAN Wizard adds the new rules below the existing rules.

7. From the left navigation panel, click Network.

8. In the middle section, click SD-WAN Policy.

9. Change the new rules as required for your environment.

   Disable the previous rules - in the # column, click the 3-dots button > click Disable.

10. From the top toolbar, click Publish to save the changes.

11. From the top toolbar, click Enforce to apply the changes.

    In the popup window that opens, click Publish & Enforce Policy.

Objects Supported in SD-WAN Policy

This section provides a list of objects you can use in various columns of SD-WAN policy rules.

Supported shared objects in the "Source" and "Destination" columns of SD-WAN policy

• Host

• Network

• Address Range

• Security Zone

• Dynamic Object

  Note - See Dynamic Objects in SD-WAN Policy.

• Domain

• Security Gateway Object

• Cluster Object

• Cluster Member Object

• Network Groups

• Access Role

Supported shared updatable objects in the "Source" and "Destination" columns of SD-WAN policy

SD-WAN supports Updatable Objects documented in sk131852.

Supported shared objects in the "Services & Applications" column of SD-WAN policy

• TCP service

• UDP service

• Other service

• SCTP service

• Service Group

• Check Point Applications

• Application/Site Group

• Custom Application/Site

• DSCP Service Class