Configuring SD-WAN Policy

Important - If you did not use the SD-WAN Wizard during the initial deployment, then you must configure the required settings manually.

Configuring SD-WAN Policy

  1. Log in to Check Point Infinity Portal.

  2. Click the top left Menu > in the section Quantum, click SD-WAN.

  3. From the left navigation panel, click Network.

  4. In the middle section, click SD-WAN Policy.

    The SD-WAN Policy opens.

    #

    Name

    Source

    Destination

    Services & Applications

    Behavior

    Translated Source (NAT)

    Enforcement

    1

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    2

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    ...

    Notes:

    • If the icon appears in the column "#", it means this rule is disabled.

      To enable this rule, click the rule number > click > click Enable.

    • If the icon appears in the column "#", it means you made changes in that row, but did not click Publish and Enforce yet.

    • If the red oval frame with the icon appears around an object, it means this object is no longer available - an administrator deleted this object on the Management Server, which updated Infinity Portal.

      By design, Infinity Portal does not delete such objects from your configuration.

      You must manually change all places that contain this deleted object.

  5. From the top toolbar, create a new rule.

  6. Optional: In the Name column of the rule, click and enter the applicable text.

  7. In the Source column of the rule, click the (+) icon > select the applicable asset objects > click OK.

    See Objects Supported in SD-WAN Policy.

  8. In the Destination column of the rule, click the (+) icon > select the applicable asset objects > click OK.

    See Objects Supported in SD-WAN Policy.

    Best Practice - Use Updatable Objects in the "Destination" column of the SD-WAN Policy. This allows matching of application connections on the first packet and most accurate traffic steering.

  9. In the Services & Applications column of the rule, click the (+) icon > click Services, Applications > select the applicable objects > click OK.

    See Objects Supported in SD-WAN Policy.

  10. In the Behavior column of the rule, click the (+) icon > select the applicable Steering Behavior object > click OK.

    See Configuring Steering Behavior.

    Note - You can select only one Steering Behavior object in a rule. If you select a different object, then it replaces the current object.

  11. In the Translated Source (NAT) column of the rule, click the (+) icon > select the applicable NAT Mapping object > click OK.

    See SD-WAN NAT for ISP.

  12. In the Enforcement column of the rule, click the (+) icon > select the applicable profile objects > click OK.

    Note - Select the profile you created in Infinity Portal:

  13. From the top toolbar, click Publish to save the changes.

  14. From the top toolbar, click Enforce to apply the changes.

    The orange frame on this button means there are changes that are not enforced.

    In the popup window that opens, click Publish & Enforce Policy.

Note - To disable a rule, in the # column, click the 3-dots button > click Disable.

Example:

Removing / Disabling SD-WAN Policy on the Security Gateway

To stop a Security Gateway from enforcing SD-WAN policy (that is, to uninstall, disable, or turn off SD-WAN policy on that Security Gateway):

  1. Remove the Security Gateway from all SD-WAN Profiles:

    After enforcement, the Security Gateway will no longer receive or enforce SD-WAN policy.

    1. In Infinity Portal, remove the Security Gateway object from any SD-WAN Profile that is selected in any SD-WAN policy rule.

    2. From the top toolbar, click Publish to save the changes.

    3. From the top toolbar, click Enforce to apply the changes.

      The orange frame on this button means there are changes that are not enforced.

      In the popup window that opens, click Publish & Enforce Policy.

  2. If the Security Gateway is unreachable (for example, is not connected to the Internet at this time):

    If you cannot update the SD-WAN assignment from the Infinity Portal, you can remove the Nano-Agent locally on the Security Gateway with this command:

    cpnano -u

    This command will remove all SD-WAN Nano-Services, unregister the Security Gateway from the Infinity Portal, and uninstall the SD-WAN policy from the Security Gateway.

Note - Before uninstalling the Nano-Agent, make sure there are no other components that use it (for example, IoT) to avoid an impact on other features.

Dynamic Objects in SD-WAN Policy

On 19 August 2024, new predefined Dynamic Objects were added in Infinity Portal in the Quantum SD-WAN service.

These new predefined Dynamic Objects provide more precise traffic matching.

Notes:

  • Support for these new Dynamic Objects is available in these Security Gateway versions:

  • If you configure the SD-WAN Policy with new Dynamic Objects, but your Security Gateway runs a lower version than required, then your Security Gateway converts the new Dynamic Objects to the corresponding Zone objects.

Description of the new Dynamic Objects:

The Dynamic Object "My VPN Domain" presents the local VPN Encryption Domain on the Security Gateway that establishes Site to Site VPN tunnels.

Notes:

  • The Dynamic Object "My VPN Domain" also represents the external interface on the Security Gateway that establish Site to Site VPN tunnels.

  • Use the Dynamic Object "My VPN Domain" in SD-WAN rules that use Steering object or type "Overlay".

  • The Dynamic Object "My VPN Domain" will match traffic between VPN peers (for example, probing in "Overlay").

    No need to create a manual rule for such traffic.

  • The Dynamic Object "My VPN Domain" replaces the Zone object "My VPN Domain & Peer VPN Domain".

  • If you configure the SD-WAN Policy with the Dynamic Object "My VPN Domain", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "My VPN Domain" to the Zone object "My VPN Domain & Peer VPN Domain".

On the Security Gateway establishes Site to Site VPN tunnels with its VPN peers, the Dynamic Object "Peer VPN Domain" represents one large VPN Encryption Domain of all SD-WAN VPN peers.

Notes:

  • The Dynamic Object "Peer VPN Domain" also represents the external interface on the VPN peer Security Gateways that establish Site to Site VPN tunnels.

  • Use the Dynamic Object "Peer VPN Domain" in SD-WAN rules that use Steering object or type "Overlay".

  • The Dynamic Object "Peer VPN Domain" will match traffic between VPN peers (for example, probing in "Overlay").

    No need to create a manual rule for such traffic.

  • The Dynamic Object "Peer VPN Domain" replaces the Zone object "My VPN Domain & Peer VPN Domain".

  • If you configure the SD-WAN Policy with the Dynamic Object "Peer VPN Domain", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "Peer VPN Domain" to the Zone object "My VPN Domain & Peer VPN Domain".

The Dynamic Object "SD-WAN Internet" represents the Internet - ranges of public IP addresses.

Notes:

  • The Dynamic Object "SD-WAN Internet" does not contain these IP addresses:

    • Ranges of reserved IP addresses (private, public, multicast)

    • IP addresses of networks that are connected directly to the Security Gateway

    • Cluster Virtual IP addresses

    • Ranges of IP addresses that are represented by the Dynamic Objects "My VPN Domain" and "Peer VPN Domain"

    • Ranges of public IP addresses, for which there are specific static routes or dynamic routes (on roadmap)

  • Use the Dynamic Object "SD-WAN Internet" in SD-WAN rules that use Steering objects or type "Local Breakout" or "Backhaul" to match outbound traffic.

  • The Dynamic Object "SD-WAN Internet" replaces the Zone object "SD-WAN Internet".

  • If you configure the SD-WAN Policy with the Dynamic Object "SD-WAN Internet", but your Security Gateway runs a lower version than required, then your Security Gateway converts the Dynamic Object "SD-WAN Internet" to the Zone object "SD-WAN Internet".

  • For connections that undergo Destination NAT (such as with Inbound NAT / traffic for Published services), the Dynamic Object "SD-WAN Internet" matches the traffic against the destination IP address after NAT:

    • If the destination IP address after NAT matches the Dynamic Object "SD-WAN Internet" - the connection is matched to that SD-WAN rule

    • If the destination IP address after NAT does not match the Dynamic Object "SD-WAN Internet" (the IP address is private, or belongs to a directly connected network) - the connection is not matched to that SD-WAN rule

  • The Zone object "My VPN Domain & Peer VPN Domain" represents all private networks as described in RFC 1918:

    • 10.0.0.0/8

    • 172.16.0.0/15

    • 192.168.0.0/16

  • The Zone object "SD-WAN Internet" represents all networks other than the private networks that the Zone object "My VPN Domain & Peer VPN Domain" represents.

  • If you configure your Quantum SD-WAN service for the first time after 19 August 2024, then the SD-WAN Wizard creates the required predefined SD-WAN Policy rules with the new Dynamic Objects.

  • If you already SD-WAN Policy rules with the Zone objects "My VPN Domain & Peer VPN Domain" and "SD-WAN Internet":

    • You can continue using these Zone objects.

    • You can configure the SD-WAN Policy again to use the new Dynamic Objects (see the procedures below).

  • If ranges of public IP addresses exist inside your networks that are not directly connected to the Security Gateway (but are routed), and these ranges are not represented by the Dynamic Objects "My VPN Domain" and "Peer VPN Domain", then at the top of the SD-WAN Policy create a bypass rule with the Steering of type "Overlay", so traffic for these ranges does match rules with the Steering of type "Local Breakout".

  • To match "Overlay" traffic, configure this rule:

    Source

    Destination

    Services & Applications

    Behavior

    My VPN Domain

    Peer VPN Domain

    Peer VPN Domain

    My VPN Domain

    Any

    Default overlay

    Notes:

    • If in a Star VPN Community there are Center Gateways / Hub Gateways that route traffic between Spokes, then make sure to configure a rule for traffic from "Peer VPN Domain" to "Peer VPN Domain".

    • If in the "Services & Applications" column you use "Any" rather than specific applications‎, then the SD-WAN log cannot show the application that generated this traffic.

Follow the applicable procedure below to get the new predefined Dynamic Objects in the SD-WAN Policy:

If you configured your Quantum SD-WAN service for the first time before 19 August 2024, then follow these steps to see the new predefined Dynamic Objects:

  1. From the left navigation panel, click Network.

  2. In the middle panel, click Getting Started.

  3. In the Configure SD-WAN section, click Open Wizard.

  4. In this popup window, click OK:

    SD-WAN rules already exist. If you will choose to create new rules via the wizard, upon completion we recommend reviewing the SD-WAN policy to make sure the new rules aren't overlapping.

  5. Wait for 15 seconds.

  6. In the top right corner of the SD-WAN Setup window, click X to close it.

You can now select the new Dynamic Objects in the SD-WAN Policy.

If you configured your Quantum SD-WAN service for the first time before 19 August 2024, then follow these steps to add the new predefined Dynamic Objects:

  1. Note the number of the last SD-WAN rule.

  2. From the left navigation panel, click Network.

  3. In the middle panel, click Getting Started.

  4. In the Configure SD-WAN section, click Open Wizard.

  5. In this popup window, click OK:

    SD-WAN rules already exist. If you will choose to create new rules via the wizard, upon completion we recommend reviewing the SD-WAN policy to make sure the new rules aren't overlapping.

  6. Follow through this SD-WAN Wizard.

    See Step 4 - SD-WAN Wizard.

    The SD-WAN Wizard adds the new rules below the existing rules.

  7. From the left navigation panel, click Network.

  8. In the middle section, click SD-WAN Policy.

  9. Change the new rules as required for your environment.

    Disable the previous rules - in the # column, click the 3-dots button > click Disable.

  10. From the top toolbar, click Publish to save the changes.

  11. From the top toolbar, click Enforce to apply the changes.

    In the popup window that opens, click Publish & Enforce Policy.

Objects Supported in SD-WAN Policy

This section provides a list of objects you can use in various columns of SD-WAN policy rules.

  • Host

  • Network

  • Address Range

  • Security Zone

  • Dynamic Object

    Note - See Dynamic Objects in SD-WAN Policy.

  • Domain

  • Security Gateway Object

  • Cluster Object

  • Cluster Member Object

  • Network Groups

  • Access Role

SD-WAN supports Updatable Objects documented in sk131852.

  • TCP service

  • UDP service

  • Other service

  • SCTP service

  • Service Group

  • Check Point Applications

  • Application/Site Group

  • Custom Application/Site

  • DSCP Service Class