SD-WAN Terms

Objects you configured on the on-premises Management Server or in Smart-1 Cloud.

These are objects of such types as Security Gateway, Cluster, Host, Network, Service, Group, Address Range, Security Zone, Dynamic Object, and so on.

Note - You can use these objects in the Source and the Destination columns of SD-WAN rules.

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Assets.

Objects you configure in Infinity Portal. These objects are collections of assets.

The available Zones are:

  • Public Networks

  • Private Networks

  • Any

Notes:

  • You can use these objects in the Source and the Destination columns of SD-WAN rules.

  • Object that represents the Internet:

    • If you do not use the SD-WAN Wizard, then to represent the entire Internet, you must manually create a Zone object called Public Networks (the object name is case-sensitive).

    • The SD-WAN Wizard creates this object automatically, if you configure the Local Breakout.

  • Object that represents all private networks:

    • If you do not use the SD-WAN Wizard, then to represent all private networks, you must manually create a Zone object called Private Networks (the object name is case-sensitive).

    • The SD-WAN Wizard creates this object automatically.

  • In each Zone object (on the General tab), you must configure a logical query to match your assets:

    1. Click the left bar with three vertical dots to delete the query, or to create logical group of several queries ("AND", "OR").

    2. In the first field, select the applicable asset field.

    3. Click the middle bar with two vertical dots to select the match operation ("Equals", "Not Equals", "In List", "Not In List", "Key Exists").

    4. In the last field, enter the value to match.

  • The SD-WAN Wizard creates the zone object "Private Networks" that matches these IP addresses:

    • from 10.0.0.0 to 10.255.255.255 (Class A)

    • from 172.16.0.0 to 172.31.255.255 (Class B)

    • from 192.168.0.0 to 192.168.255.255 (Class C)

  • The SD-WAN Wizard creates the zone object "Public Networks" that matches these IP addresses:

    • from 0.0.0.0 to 9.255.255.255

    • from 11.0.0.0 to 126.255.255.255

    • from 127.0.1.0 to 172.15.255.255

    • from 172.32.0.0 to 192.167.255.255

    • from 192.169.0.0 to 255.255.255.255

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Zones.

Predefined objects that exist in Infinity Portal.

These objects represent different applications that generate traffic (for example, Zoom, Gmail, Facebook).

Check Point updates the list of these applications in Infinity Portal.

Security Gateways get the updated identifications of these applications.

A combination of predefined objects and user-defined objects (configured in SmartConsole).

These objects represent traffic over different protocols and ports.

Objects you configure in Infinity Portal.

These objects represent the Security Gateway's links to Internet Service Providers (ISPs).

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click SD-WAN Policy.

  3. From the top toolbar, click WAN Link Mapping.

  4. From the top toolbar, click Manage WAN Links.

Configuration in Infinity Portal that controls the mapping of a WAN Link to a Security Gateway's interface based on the interface name, or a user-defined interface tag.

See WAN Link Mapping.

Note - An interface tag is an alternative name you can assign to an interface.

Example:

There are two SD-WAN Security Gateway peers that connect to the same two Internet Service Providers (ISPs).

  • SD-WAN Security Gateway #1:

    • The interface eth1 connects to ISP #1

    • The interface eth2 connects to ISP #2

  • SD-WAN Security Gateway #2:

    • The interface eth3 connects to ISP #1

    • The interface eth4 connects to ISP #2

To make it easier to configure and understand WAN Link Mapping, you can configure these interface tags:

  • SD-WAN Security Gateway #1:

    • The interface eth1 connects to ISP #1 - tag "ISP1"

    • The interface eth2 connects to ISP #2 - tag "ISP2"

  • SD-WAN Security Gateway #2:

    • The interface eth3 connects to ISP #1 - tag "ISP1"

    • The interface eth4 connects to ISP #2 - tag "ISP2"

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click SD-WAN Policy.

  3. From the top toolbar, click WAN Link Mapping.

Configuration in Infinity Portal that controls how a Security Gateway must steer traffic based on:

  • Applicable Internet Service Providers (ISPs)

  • Latency, Jitter, Packet Loss of ISP Links

  • WAN Link Utilization

See Configuring Steering Behavior.

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click SD-WAN Policy.

  3. From the top toolbar, click Manage Objects.

Set of steering rules that control how the Security Gateway steers the traffic for different applications and services to the Internet or Headquarters.

If a Security Gateway cannot find a match in this ordered policy, then:

  • For connections that should not be encrypted, then Security Gateway uses the Gaia Operating System routing to forward the traffic.

  • For connections that have be encrypted, then Security Gateway cannot use all available WAN Links to forward the traffic.

See Configuring SD-WAN Policy.

Important - SD-WAN Policy applies only if the Anti-Spoofing, the HTTPS Inspection Policy, the Access Control Policy, and Threat Prevention Policy allow the traffic.

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click SD-WAN Policy.

These are the available profile types:

  • Quantum Profile

    This profile type uses a token to connect the Nano-Agent on the Security Gateway to Infinity Portal.

    Notes:

    • You can connect a Security Gateway only to one "Quantum Profile".

    • Make sure to configure the applicable maximum number of agents in the profile's "Advanced" settings.

    • The SD-WAN service creates this profile when you connect your Management Server to Infinity Portal.

      In addition, the SD-WAN Wizard makes sure this profile exists in the SD-WAN service.

    Best Practice - Connect all SD-WAN Security Gateways to the SD-WAN service in Infinity Portal with the same token (to make the policy configuration easier).

  • SD-WAN Profile

    This is a logical profile type.

    This profile type contains a collection of manually selected Security Gateways. You can use this profile in the Enforcement column of each SD-WAN Policy rule.

    Note - You can connect a Security Gateway to more than one "SD-WAN Profile".

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Profiles.

A profile of the type Quantum Profile uses an authentication token to identity an SD-WAN Security Gateway that connects to the SD-WAN service in Infinity Portal.

This token is a pre-shared secret.

You can always revoke the current token in a profile and generate a new token:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Profiles.

  3. Click the profile of the type Quantum Profile.

  4. Click the tab General.

  5. In the middle pane, refer to the section Authentication.

  6. On the right side of the field Token, click .

  7. Click Yes to confirm.

You can always delete Agents from the Tenant:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Agents.

  3. Select the applicable Agent.

  4. From the top toolbar, click Delete.

A small software package (component) that runs on the Security Gateway.

This Nano-Agent is responsible for:

  • Installing and enforcing the SD-WAN Policy

  • Sending the logs for policy enforcement (success or failure) to Infinity Portal

  • Sending the SD-WAN Link Swap events to Infinity Portal

  • Sending the metrics for SD-WAN Links to Infinity Portal

To get there:

  1. From the left navigation panel, click Network.

  2. In the middle section, click Agents.