SD-WAN Configuration for DAIP Security Gateways

This section describes SD-WAN "Overlay - VPN" configuration for Security Gateways with a Dynamically Assigned IP Address (DAIP).

For frequently asked questions about DAIP, see sk167473.

SD-WAN Requirements for DAIP Security Gateways

SD-WAN Security Gateway

Supported Versions

Security Gateways that run Gaia OS

R81.20 Jumbo Hotfix Accumulator, Take 43 and higher.

Quantum Spark Appliances

R81.10.10 and higher.

SD-WAN Support for DAIP Security Gateways

  • SD-WAN supports DAIP Security Gateways in a Star VPN Community or a Mesh VPN Community:

    • Supports a VPN tunnel when one VPN peer is a Security Gateway with a Dynamically Assigned IP Address (DAIP) and another VPN peer is a Security Gateway with a Static IP address.

    • Supports a VPN tunnel when all VPN peers are Security Gateways with a Dynamically Assigned IP Address (DAIP).

      SD-WAN supports this configuration only if the corresponding SD-WAN interfaces on all VPN peers receive their IP addresses dynamically and connect to the Internet directly (not through a NAT device).

  • SD-WAN supports Security Gateways with different IP configuration on their SD-WAN interfaces - an SD-WAN interface with a Dynamically Assigned IP Address (DAIP), and other SD-WAN interfaces with a Static IP address.

    • Quantum Spark appliances can have one or more DAIP SD-WAN interfaces.

  • SD-WAN supports automatic renewal of VPN tunnels on DAIP SD-WAN interfaces:

    • A VPN tunnel recovers automatically after an IP address changes on a DAIP interface that participates in this VPN tunnel:

      [Security Gateway] (DAIP SD-WAN interface) --- [VPN Tunnel]

    • A VPN tunnel recovers automatically after an IP address changes on an IP NAT device in front of an SD-WAN interface that participates in this VPN tunnel:

      [Security Gateway] (SD-WAN interface) (Dynamic IP NAT Device) --- [VPN Tunnel]

SD-WAN Known Limitations for DAIP Security Gateways

  • Security Gateway object in SmartConsole must be configured as "Dynamic address" (on the General Properties page).

    Note - It is not supported to change this setting in an existing Security Gateway object.

    You must delete it and create a new object.

  • IKE negotiation:

    • If each DAIP Security Gateway in a VPN Community uses a DAIP SD-WAN interface without a dynamic IP NAT device in front of it, then each VPN peer can initiate the IKE negotiation.

      [Security Gateway 1] (DAIP SD-WAN interface 1) <===> [VPN Tunnel] <===> (DAIP SD-WAN interface 2) [Security Gateway 2]

    • If a Security Gateway in a VPN Community has a dynamic IP NAT device in front it, then this DAIP Security Gateway can only be the IKE-initiator for this VPN tunnel (cannot be the IKE-responder).

      [Security Gateway 1] (SD-WAN interface 1) (Dynamic IP NAT Device) ===> [VPN Tunnel] ===> (SD-WAN interface 2) [Security Gateway 2]

  • Configuration where a dynamic IP NAT device is connected in front of each SD-WAN Security Gateway is not supported (CGNAT-to-CGNAT):

    [Security Gateway 1] (SD-WAN interface 1) (Dynamic IP NAT Device 1) <===>

    <===> [VPN Tunnel] <===>

    <===> (Dynamic IP NAT Device 2) (SD-WAN interface 2) [Security Gateway 2]

  • After an IP address changes on an IP NAT device in front of an SD-WAN interface that participates in a VPN tunnel, it takes approximately 5 minutes for the VPN tunnel to negotiate again:

    [Security Gateway] (SD-WAN interface) (Dynamic IP NAT Device) <===> [VPN Tunnel] <===>

  • DNS resolving is not supported for DAIP Security Gateways.

  • For a Branch Security Gateway that is configured as a DAIP Security Gateway and performs "Backhaul" through the Center Security Gateway (see Routing Preference "Backhaul Only"):

    You must make sure that the Branch Security Gateway has a direct Internet access. When the IP address changes on the Branch Security Gateway, and its VPN tunnels go down, the Center Security Gateway and other VPN peers must be able to get the new IP address of the Branch Security Gateway.

    You must configure the SD-WAN Policy to match connections that the Branch Security Gateway creates (local connections) to a Steering Behavior configured as "Local Breakout Only" (see Routing Preference "Local Breakout Only") or "Prioritize Local Breakout" (see Routing Preference "Prioritize Local Breakout").

SD-WAN Configuration for DAIP Security Gateways

Important - Schedule a maintenance window.

Part 1 - On a Security Gateway, configure the DAIP settings

Follow the applicable procedure.

Note - This applies only to a new Security Gateway, on which you can run the Gaia First Time Configuration Wizard.

  1. During the Gaia First Time Configuration Wizard, in the Dynamically Assigned IP window, you must select Yes.

    Refer to the Gaia Administration Guide for your version > Chapter "Configuring Gaia for the First Time" > Section "Running the First Time Configuration Wizard in Gaia Portal".

  2. Install the required R81.20 Jumbo Hotfix Accumulator.

  3. Follow Step 3 - Configuration on Security Gateways > section "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway" > subsection "Procedure for a Security Gateway that runs Gaia OS".

    In Gaia Portal, on the SD-WAN tab of the interface settings, select:

    1. Use as SD-WAN interface.

    2. Directly accessible.

Note - This applies to a Security Gateway that was not configured as DAIP in the Gaia First Time Configuration Wizard.

Best Practice - Collect the Gaia Backup. Refer to the Gaia Administration Guide for your version > Chapter "Maintenance" > Section "System Backup".

  1. Connect to the command line on the Security Gateway.

  2. Log in to the Expert mode.

  3. Configure this Security Gateway as DAIP:

    cpprod_util FwSetDAG 1

  4. In Gaia Portal, configure each applicable interface as an SD-WAN interface:

    Note - For the applicable Gaia Clish commands, see Step 3 - Configuration on Security Gateways > section "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway" > subsection "Procedure for a Security Gateway that runs Gaia OS".

    1. In the Network Management section, click the Network Interfaces page.

    2. Select and edit each SD-WAN interface.

    3. On the SD-WAN tab of the interface settings, select:

      1. Use as SD-WAN interface.

      2. Directly accessible.

    4. Click OK.

  5. If you already configured a Security Gateway object in SmartConsole for this Security Gateway, then reset SIC on the Security Gateway.

    Best Practice - Perform this step over a direct connection to the Security Gateway - through the console port, or LOM Card (if it is installed).

    Note - For the complete procedure, see sk65764. In this step, you reset SIC only on the Security Gateway. In Part 2 below, you reset SIC in SmartConsole in the Security Gateway object.

    1. Run:

      cpconfig

    2. Enter the number of the option "Secure Internal Communication".

    3. Confirm that you wish to re-initialize the communication.

    4. Enter the new activation key.

      You must enter this key later in SmartConsole in the Security Gateway object (in Part 2 below).

    5. Exit from the Check Point Configuration Tool.

    6. The Security Gateway stops and starts all Check Point processes.

      Warning - If you are connected over SSH, your session may disconnect.

Note - For the complete procedure, see Step 3 - Configuration on Security Gateways > section "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway" > subsection "Procedure for Quantum Spark Appliance that runs Gaia Embedded OS" > subsection "Configuration of a Quantum Spark Appliance in the WebUI".

  1. Connect to the WebUI.

  2. From the left tree, click Device.

  3. In the middle pane, expand the section Network and click Internet.

  4. Select and edit the Internet connection.

  5. At the top, click the Configuration tab:

    1. Expand the section Internet Configuration.

    2. In the Type field, select the applicable option :

      • If this interface gets its IP address dynamically, then select DHCP.

      • If this interface has a static IP address, then select Static IP.

  6. Click Save.

  7. If you already configured a Security Gateway object in SmartConsole for this Quantum Spark appliance, then reset SIC on the appliance.

    Note - For the complete procedure, see sk65764. In this step, you reset SIC only on the appliance. In Part 2 below, you reset SIC in SmartConsole in the Security Gateway object.

    1. Connect to the WebUI.

    2. From the left tree, click Home.

    3. In the middle pane, expand the section Overview and click Security Management.

    4. In the Security Management Server section, click Advanced.

    5. Click Reinitialize Trusted Communication.

    6. A warning message appears.

    7. Click Yes.

    8. The appliance unloads the central policy and applies only the local policy.

Part 2 - In SmartConsole, configure the Security Gateway Object

Follow the applicable procedure.

Note - If you already configured a Security Gateway object in SmartConsole, then you must reset SIC in this object, delete it, and then create a new object.

  1. Back up the current management database on the Management Server:

    1. Export the management database. See sk108902.

    2. Collect the CPinfo file. See sk92739.

  2. Connect with SmartConsole to the applicable Security Management Server or Domain Management Server that manages this Security Gateway.

  3. From the left navigation panel, click Gateways & Servers.

  4. Double-click the existing Security Gateway object.

  5. Reset the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:

    Note - For the complete procedure, see sk65764. In this step, you reset SIC in the Security Gateway object.

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Certificate state field, click Reset and click Yes to confirm.

      Click OK.

    3. Click OK.

  6. Click OK.

  7. Right-click the Security Gateway > click Delete.

  1. Connect with SmartConsole to the applicable Security Management Server or Domain Management Server that should manage this Security Gateway.

  2. From the left navigation panel, click Gateways & Servers.

  3. From the top toolbar, click the New () > Gateway.

  4. In the Check Point Security Gateway Creation window, click Classic Mode.

  5. In the Name field, enter the applicable name for this Security Gateway object.

  6. Select Dynamic Address.

    Note - You must select this checkbox in these cases:

    • The SD-WAN interface receives its IP address dynamically (from a DHCP server, from a PPPoE provider).

    • The SD-WAN interface has a static IP address, but this IP address can change from time to time.

    • The SD-WAN interface has a static IP address that does not change, but connects to a NAT device that in turn receives its IP address dynamically.

  7. Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field, select Open server / Appliance.

    3. Enter the same Activation Key you entered:

      • During the Gaia First Time Configuration Wizard on a new Security Gateway.

      • When you reset SIC on an existing Security Gateway.

    4. Click Initialize.

    5. Click OK.

  8. In the Platform section, select the correct options.

  9. Enable the applicable Software Blades (refer to the list of SD-WAN limitations).

  10. On the Network Management page, configure interfaces:

    1. Click Get Interfaces > Get Interfaces With Topology > click Close.

    2. Select and edit each interface.

    3. In each DAIP interface, in the General section, select Dynamic IP.

    4. Click OK.

  11. Click OK.

  1. Connect with SmartConsole to the applicable Security Management Server or Domain Management Server that should manage this Security Gateway.

  2. From the left navigation panel, click Gateways & Servers.

  3. From the top toolbar, click the New () > Gateway.

  4. In the Check Point Security Gateway Creation window, click Classic Mode.

  5. In the Name field, enter the applicable name for this Security Gateway object.

  6. Select Dynamic Address.

  7. In the Platform section, select the correct options.

  8. Establish the Secure Internal Communication (SIC) between the Management Server and this Security Gateway:

    1. Near the Secure Internal Communication field, click Communication.

    2. In the Platform field, select Small Office Appliance.

    3. In the Authentication section:

      1. Select Initiate trusted communication securely by using a one-time password.

      2. Enter a one-time password (SIC activation key).

    4. In the Trusted Communication Initiation section:

      1. Select Initiate trusted communication automatically when the Gateway connects to the Security Management server for the first time.

      2. In the field Identify appliance according to, select the applicable option and enter the required value.

    5. Click OK.

  9. Enable the applicable Software Blades (refer to the list of SD-WAN limitations).

  10. On the Topology page, configure each DAIP interface:

    1. In the Security Blades section, select Manually defined on the Security Management server, based on the below Topology Table.

    2. In the Topology Table section, select the interface and click Edit.

    3. In the Security and VPN Blades Topology section, select External (leads out to the Internet).

    4. In the IP settings section, select Dynamic IP.

    5. Click OK.

    6. In the Security Blades section, if needed, select Automatically calculated by the gateway, based on the gateway's Routing Table.

  11. Click OK.

Part 3 - In SmartConsole, configure the Access Control Policy

If it is necessary to use "Overlay - VPN" probing, then configure the required Access Control rule:

For Security Gateways with a Dynamically Assigned IP Address (DAIP):

  1. Configure this Access Control rule:

    Name

    Source

    Destination

    VPN

    Services & Applications

    Action

    Track

    Install On

    For DAIP -

    Overlay - VPN

    Probing -

    Incoming

    Any

    LocalMachine_All_Interfaces

    Name

    of the

    VPN Community

    echo-request

    Accept

    Log

    or

    None

    Only

    DAIP

    Security Gateways

    Note - The object "LocalMachine_All_Interfaces" is enforced only on DAIP Security Gateways.

  2. Install the Access Control policy only on the DAIP Security Gateways.

For Security Gateways that are VPN peers with DAIP Security Gateways:

  1. Configure this Access Control rule:

    Name

    Source

    Destination

    VPN

    Services & Applications

    Action

    Track

    Install On

    For Center GW -

    Overlay - VPN

    Probing -

    Incoming

    Any

    Security Gateways

    that are

    VPN peers

    with

    DAIP

    Security Gateways

    Name

    of the

    VPN Community

    echo-request

    Accept

    Log

    or

    None

    Security Gateways

    that are

    VPN peers

    with

    DAIP

    Security Gateways

  2. Install the Access Control policy only on the Center Security Gateway.

Part 4 - In Infinity Portal, configure the SD-WAN Policy

If it is necessary to use "Overlay - VPN" probing, then configure these SD-WAN rules:

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the top toolbar, create the applicable new rules.

    For Security Gateways with a Dynamically Assigned IP Address (DAIP):

    Name

    Source

    Destination

    Services & Applications

    Behavior

    Enforcement

    'Overlay - VPN'

    Probing -

    Incoming

    Any

    LocalMachine_All_Interfaces

    icmp-proto

    Default overlay

    Select the

    applicable

    profile objects

    Note - The object "LocalMachine_All_Interfaces" is enforced only on DAIP Security Gateways.

    For Security Gateways that are VPN peers with DAIP Security Gateways:

    Name

    Source

    Destination

    Services & Applications

    Behavior

    Enforcement

    'Overlay - VPN'

    Probing -

    Incoming

    Any

    Security Gateways

    that are

    VPN peers

    with

    DAIP

    Security Gateways

    icmp-proto

    Default overlay

    Select the

    applicable

    profile objects

    Name

    Source

    Destination

    Services & Applications

    Behavior

    Enforcement

    'Overlay - VPN'

    Probing -

    Incoming

    Any

    My VPN Domain & Peer VPN Domain

    icmp-proto

    Select the applicable

    Steering object

    of type

    "Overlay - VPN"

    Select the

    applicable

    profile objects

    'Overlay - VPN'

    Probing -

    Outgoing

    Any

    SD-WAN Internet

    icmp-proto

    Select the applicable

    Steering object

    configured as

    "Prioritize Local Breakout"

    Select the

    applicable

    profile objects

  4. From the top toolbar, click Publish to save the changes.

  5. From the top toolbar, click Enforce to apply the changes.

    In the popup window that opens, click Publish & Enforce Policy.

SD-WAN Troubleshooting for DAIP Security Gateways

You can use these CLI commands on the local Security Gateway to monitor if it learns the new IP address of a DAIP VPN peer:

CLI Syntax

Troubleshooting Information

Command Notes

cpview

  1. At the top, click Software-blades > VPN > Tunnel-Monitoring.

  2. In the bottom section Dynamic table shows this information for a DAIP Security Gateway:

    • The column Main peer IP shows "0.0.0.x".

    • The column Peer IP shows the last known peer IP address.

      This column must show a new IP address when the DAIP peer changes its IP address.

See sk101878

vpn tu tlist

  1. If the command output does not show Outbound SA or IPsec SA, then the VPN tunnel is "down".

  2. The field "To:" shows the last known peer IP address.

    This field must show a new IP address when the DAIP peer changes its IP address.

  1. Refer to the Command Line Interface (CLI) Reference Guide for your version > Chapter "VPN Commands" > Section "vpn" > Subsection "vpn tu".

  2. See sk181147.

vpn tu conn <Source IP> <Source Port> <Destination IP> <Destination Port> <Protocol>

The traffic must pass over the updated VPN tunnel with the new IP address of a DAIP Security Gateway.

  1. Refer to the Command Line Interface (CLI) Reference Guide for your version > Chapter "VPN Commands" > Section "vpn" > Subsection "vpn tu".

    You can use the minus character "-" as a wildcard "any".

  2. See sk181147.