Early Availability Features

This section describes SD-WAN features in the Early Availability stage.

Important - To get these features, you must install the R82 Early Availability packages on the SD-WAN Security Gateway.

See the "Downloads" section in sk180605.

SD-WAN with a Maestro Security Group

For information about Maestro, see the:

Follow Step 3 - Configuration on Security Gateways with these changes:

  • Part 2 - Configuration of SD-WAN interfaces on the Security Gateway >

    Procedure for a Security Gateway that runs Gaia OS

    You must configure the required interface settings in one of these ways:

    • In Gaia Portal on the Security Group.

    • In Gaia gClish on the Security Group.

  • Part 3 - Installation of the SD-WAN Nano-Agent on the Security Gateway >

    Procedure for a Security Gateway that runs Gaia OS

    You must install the SD-WAN Nano-Agent on all Security Group Members:

    1. Get the Authentication Token you copied earlier from your Quantum Profile in Infinity Portal.

    2. Connect to the command line on the Security Group.

    3. Log in.

    4. If your default shell is Gaia gClish, go to the Expert mode:

      expert

    5. Install the SD-WAN Nano-Agent on all Security Group Members:

      nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile> --run-all-members

    6. Examine the status of the required Nano-Services:

      g_allc cpnano -s

      The section "Service settings" in the output must show "Status: Running" for these services:

      • Check Point Orchestration Nano Service

      • Check Point Messaging Proxy Nano Service

      • Check Point SDWan Nano Service

      • Check Point Cpview Metric Provider Nano Service

      • Check Point SD-WAN Logger Nano Service

    7. In Infinity Portal > Quantum SD-WAN, navigate to the Network view > Agents page.

      This page must show each Security Group Member.

      Example:

      Host

      Name

      IP Address

      Quantum version

      Hardware

      SD-WAN applicable

      SD-WAN active

      Policy version

      Profiles

      MySG-s01-01

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s01-02

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s01-03

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-01

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-02

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

      MySG-s02-03

      Maestro

      192.168.6.76

      R82

      Maestro

      Multiple versions

      Quantum Profile, SD-WAN Profile

Notes:

  • Do not install the SD-WAN Nano-Agent on Maestro Orchestrators.

  • If you add a new Security Group Member later, then you must manually install the SD-WAN Nano-Agent on that new Security Group Member:

    1. Get the ID of the new Security Group Member in this Security Group.

    2. Connect to the command line on the new Security Group Member using the "member" command on the Orchestrator or on the Security Group.

    3. Log in to the Expert mode.

    4. Install the SD-WAN Nano-Agent on the new Security Group Member:

      nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile>

    5. Examine the status of the required Nano-Services:

      cpnano -s

  • Infinity Portal > Quantum SD-WAN shows:

    • The Network view > Agents page shows only the object of each Security Group Member.

    • All other sections and fields show only the Security Group object.

  • The Security Group selects the Security Group Member that runs the SD-WAN probing to run the Maestro task called "SDWAN". This Security Group Member is considered the "SDWAN Task Owner (STO)".

    Run this command on the Security Group to see which Security Group Member runs which Maestro task:

    asg stat -i tasks

  • In a normal state, all Security Group Members must run the same SD-WAN Policy (with the same "Policy ID" values).

    If the Policy ID on a Security Group Member (Local Policy) differs from the Policy ID on the STO Security Group Member (Global Policy), then the non-STO Security Group Member begins to perform its own SD-WAN probing.

    The non-STO Security Group Member stops performing its own SD-WAN probing only when its Policy ID (Local Policy) is the same as the Policy ID on the STO Security Group Member.

    Run this command to see the SD-WAN policy:

    • To see the outputs that differ between Security Group Members (the policy installation time may differ by several seconds):

      g_allc cpsdwan stat

    • To see the complete outputs from each Security Group Member:

      g_all cpsdwan stat

  • To see the probing status in CPView:

    1. Run on the Security Group:

      cpview

    2. From the top, click Advanced > SDWAN > Probing.

      The row Gateway Probing State shows one of these:

      • SD-WAN Task owner

        This Security Group Member is the STO - responsible for the Global probing for the entire Security Group.

      • Active probing member

        This Security Group Member is not the STO, but it is currently performing the probing.

        Probably because its SD-WAN Policy ID is different than that of the STO.

      • Active non probing member

        This Security Group Member is not the STO, but an active Security Group Member that is not performing the probing.

        This is a normal state, when all Security Group Members have the same SD-WAN Policy ID.

      • Standby on active site

        This Security Group Member is currently in the Standby mode and does not handle traffic in general.

      • Standby site member

        This Security Group Member is currently a member of a Standby Site.

SD-WAN with a Traditional VSX Virtual System

For information about the Traditional VSX mode, see the VSX Administration Guide for your version.

Limitations:

  • SD-WAN Profile supports only Layer 3 Virtual Systems (Virtual Routers, Virtual Switches, and Virtual Systems in the Bridge Mode are not supported)

  • Each Virtual System supports only one Default Gateway.

  • SD-WAN Policy does not support VSX Cluster objects.

Follow Step 3 - Configuration on Security Gateways with these changes:

  • Part 2 - Configuration of SD-WAN interfaces on the Security Gateway >

    Procedure for a Security Gateway that runs Gaia OS

    1. Configure the required interface settings in SmartConsole in the object of applicable Virtual System and click OK to push the VSX configuration.

    2. Install the applicable Access Control policy on the Virtual System object.

    3. Configure the applicable interfaces in the applicable Virtual System:

      1. Connect to the command line on the VSX Gateway / each VSX Cluster Member.

      2. Log in to Gaia Clish.

      3. Get the ID of each configured Virtual System:

        show virtual-systems

      4. Go to the context of the applicable Virtual System:

        set virtual-system <ID>

      5. Configure the SD-WAN settings on the applicable interfaces.

  • Part 3 - Installation of the SD-WAN Nano-Agent on the Security Gateway >

    Procedure for a Security Gateway that runs Gaia OS

    You must install the SD-WAN Nano-Agent on each applicable Virtual System:

    1. Get the Authentication Token you copied earlier from your Quantum Profile in Infinity Portal.

    2. Connect to the command line on the VSX Gateway / VSX Cluster Member.

    3. Log in.

    4. If your default shell is Gaia Clish, go to the Expert mode:

      expert

    5. Get the ID of each configured Virtual System:

      vsx stat -l

    6. Install the SD-WAN Nano-Agent on each applicable Virtual System:

      nano-egg --install --token <Authentication Token you copied earlier from your Quantum Profile> --vs_id <ID>

    7. Examine the status of the required Nano-Services in each applicable Virtual System:

      cpnano -vs <ID> -s

      The section "Service settings" in the output must show "Status: Running" for these services:

      • Check Point Orchestration Nano Service

      • Check Point Messaging Proxy Nano Service

      • Check Point SDWan Nano Service

      • Check Point Cpview Metric Provider Nano Service

      • Check Point SD-WAN Logger Nano Service

    8. In Infinity Portal > Quantum SD-WAN, navigate to the Network view > Agents page.

      This page must show each connected Virtual System.

Notes:

  • Do not install the SD-WAN Nano-Agent in the context of the VSX Gateway / VSX Cluster Member (VS0).

  • Infinity Portal > Quantum SD-WAN shows:

    • The Network view > Agents page shows only Virtual System objects (does not show the object of the VSX Gateway / VSX Cluster / VSX Cluster Members).

    • The Network view > SD-WAN Policy page > the "WAN Link Mapping" section shows only the VSX Gateway object or the VSX Cluster object (not each VSX Cluster Member).

SD-WAN with SmartLSM (SmartProvisioning)

For information about SmartLSM (SmartProvisioning), see the SmartProvisioning Administration Guide for your version.

Important - For Branch Gateways, SD-WAN supports this feature only for Quantum Spark Gateways.

  1. Configure SD-WAN interfaces on each Security Gateway that uses the SmartLSM Security Profile.

    Follow Step 3 - Configuration on Security Gateways >

    "Part 2 - Configuration of SD-WAN interfaces on the Security Gateway" >

    "Procedure for Quantum Spark Appliance that runs Gaia Embedded OS".

  2. Install the SD-WAN Nano-Agent on each Security Gateway that uses the SmartLSM Security Profile.

    Follow Step 3 - Configuration on Security Gateways >

    "Part 3 - Installation of the SD-WAN Nano-Agent on the Security Gateway" >

    "Procedure for Quantum Spark Appliance that runs Gaia Embedded OS".

  3. Update the $FWDIR/conf/robo-ike.NDB file on each Security Gateway that uses the SmartLSM Security Profile:

    Note - This step applies only to Security Gateways that are configured as Satellite Gateways in a Star VPN Community.

    1. Connect to the command line on each Security Gateway that is configured as a Satellite Gateway.

    2. If the default shell is Gaia Clish, then go to the Expert mode:

      expert

    3. Rename the current $FWDIR/conf/robo-ike.NDB file:

      mv -v $FWDIR/conf/robo-ike.NDB $FWDIR/conf/robo-ike-ORIGINAL.NDB

    4. In SmartProvisioning GUI, update each Security Gateway that is configured as a Center Gateway in the same Star VPN Community as the Satellite Gateway:

      1. In the top left panel, click Devices.

      2. In the top right panel Devices, select a Security Gateway that is configured as a Center Gateway.

      3. From the top toolbar, click Menu > Actions > Update Selected Corportate Office Gateway.

      Note - For this step, you can also use these Management API commands:

    5. Make sure a new $FWDIR/conf/robo-ike.NDB file is created on each Security Gateway that is configured as a Satellite Gateway:

      ls -l $FWDIR/conf/robo-ike.NDB

    6. Optional: Delete the original $FWDIR/conf/robo-ike-ORIGINAL.NDB file:

      rm -i $FWDIR/conf/robo-ike-ORIGINAL.NDB

Notes:

  • You must install the SD-WAN Nano-Agent on each Security Gateway that uses the SmartLSM Security Profile.

  • In Infinity Portal > Network view > Profiles page, in an SD-WAN Profile you must select only the SmartLSM Security Profile (not the corresponding Security Gateway object).

  • Infinity Portal > Network view > Agents page shows each corresponding Security Gateway object that uses the SmartLSM Security Profile.

  • If all Security Gateways that use the SmartLSM Security Profile have the same interface names, then you can configure WAN Link Mapping using the interface name.

    Otherwise (different interface names), use an ISP Tag to make sure WAN Link Mapping is the same and consistent on Security Gateways.

Quality Check Methodology - Configuring Multiple Targets for Probing

For complete information, see Configuring Steering Behavior.

When you create or edit a Steering Behavior object, click the Quality Check Methodology heading to expand this section and configure the applicable settings.

If you selected the probe type Custom, then in the field Hosts, you can now enter a maximum of 5 destinations.

This feature is called Multiple Target Probing (MTP).

Prioritize Local Breakout

For more information, see Routing Preference "Prioritize Local Breakout".

When you configure the Steering Behavior to use the type "Internet" with the Routing Preference "Prioritize Local Breakout":

  1. The Security Gateway uses direct WAN Links to connect to the Internet.

  2. If all direct WAN Links to the Internet are down (because a link is down, or the probing next hop is down), the Security Gateway uses the direct WAN Link with encrypted traffic to the Headquarters to connect to the Internet (the "Backhaul" behavior).

It is now possible to configure the Security Gateway to fail over to the "Backhaul" behavior when all direct WAN Links exceed the Criteria thresholds configured in the applicable Steering Behavior (see Configuring Steering Behavior):

  1. From the left navigation panel, click Network.

  2. In the middle section, click Profiles.

  3. Click the applicable profile.

  4. Click the Advanced tab.

  5. Click the left cell key and enter this parameter:

    sdw_bhl_prefer_brk

  6. Click the right cell value, enter digit "1", and press the Enter key:

    1

    The row with the configured parameter must appear below the default empty row "key - value".

  7. At the top, click Publish.

  8. At the top, click Enforce.

Important:

  • This parameter applies to all Security Gateways that use this SD-WAN Profile.

    If this behavior change is required only for some Security Gateways:

    1. Create a new SD-WAN Profile.

    2. Add only the applicable Security Gateways to this new profile.

    3. Configure the parameter "sdw_bhl_prefer_brk" in this new profile.

    4. Edit the SD-WAN Profile that contains Security Gateways, whose failover behavior must not change.

    5. Remove the applicable Security Gateways, for which you created a new SD-WAN Profile.

    6. At the top, click Publish.

    7. At the top, click Enforce.

  • If the $FWDIR/conf/sdwan/sdwan_steering_params.json file on a Security Gateway contains this parameter "sdw_bhl_prefer_brk", then the value of this parameter in this file takes precedence over the value of this parameter that you configured in an SD-WAN Profile.

    If you edit this file, then you must restart the SD-WAN Steering process on the Security Gateway:

    sdwan_steering_stop ; sdwan_steering_start