Check Point Firewall
You can establish a Single Site-to-Site VPN tunnel between your Harmony SASE.
Pre-requisites
-
Harmony SASE Administrator Portal account.
-
Make sure that you have installed the Harmony SASE Agent on your device.
-
Administrator account with Firewall/Router/Cloud Management Portal.
Configuration Steps
Creating Interoperable Device Object in the Check Point SmartConsole
-
Log in to the Check Point SmartConsole.
-
Click Security Policies.
-
On the top right, click New and select More > Network Object > More > Interoperable Device.
The Interoperable Device window appears.
-
In the Name field, enter a name for Harmony SASE gateway.
-
In the IPv4 Address field, enter the Harmony SASE gateway public IP address.
To find the Harmony SASE Gateway public IP Address:
-
Access the Harmony SASE Administrator Portal and click Networks.
-
Select the network.
-
Go to the Gateways section to find the Public IP address for setting up the single IPsec tunnel.
-
-
Click OK.
-
Adding Harmony SASE Gateway IP Address and Remote Subnet To The Interoperable Device Object
-
Log in to the Harmony SASE Administrator Portal.
-
Click Networks.
-
Verify the assigned network. The default value is 10.255.0.0/16.
-
To verify:
-
Select a network, scroll to the end of the row and click .
-
Select Edit Network.
-
In the Edit Network section, check the Subnet field to verify the assigned network. The default value is 10.255.0.0/16.
-
-
Open the network object that you created.
Note - If the gateway is configured with an interface topology that includes a network range or a group overlapping with the encryption domain of the remote VPN peer, incoming decrypted traffic may be seen as coming from the wrong interface. This could trigger anti-spoofing measures, causing traffic to be dropped. To create an anti-spoofing exception, see sk151774.
-
Click Topology > New.
-
In the General tab:
Field
Enter
Name Name for the topology. IP Address
10.255.0.0 Net Mask 255.255.0.0 -
In the Topology tab, select Internal (leads to the local network) and select Network defined by the interface IP and Net Mask.
-
In the General tab:
Field
Enter
Name Name for the topology. IP Address
Public IP address of the Harmony SASE gateway. Net Mask 255.255.255.255 -
In the Topology tab, select External (leads to the local Internet).
-
Click OK.
-
Click OK.
-
Publish and install the policy.
Creating VPN Start Community
-
Log in to the Check Point SmartConsole.
-
Click Security Policies.
-
Go to Access Tools > VPN Communities.
-
Click New and select Star Community.
The New Star Community window appears.
-
In the Enter Object Name field, enter an object name for the VPN Start Community, for example, Harmony SASE VPN.
-
Under Center Gateways, click and add the Check Point gateway.
-
Under Satellite Gateways, click and add the previously created Interoperable Device Object for the Harmony SASE gateway. See step 3.
-
Click Shared Secret.
-
To edit the shared key, click .
-
In the Enter secret field, enter an appropriate key. Make a note of it as it is used while configuring the tunnel in the Harmony SASE Administrator Portal.
Note - Check Point recommends that the share secret key is at least 20 characters in length.
-
Click OK.
-
Click Encryption:
Field
Enter
Encryption Method IKEv2 only Custom encryption suite IKE Security Association (Phase 1)
Encryption Algorithm AES-256 Data Integrity SHA256 Diffie Hellman group Group 14 (2048 bit) IKE Security Association (Phase 2)
Encryption Algorithm AES-256 Data Integrity SHA256 More
IKE Security Association (Phase 2)
Use Perfect Forward Secrecy
Diffie Hellman group Group 14 (2048 bit) -
Click Tunnel Management and under VPN Tunnel Sharing, select One VPN tunnel per Gateway pair.
Important - Make sure that you enter the remote subnets specified here in the Harmony SASE Administrator Portal. A mismatch can disconnect the tunnel.
-
Click Advanced.
-
In the IKE (Phase 1) section, set the Renegotiate IKE security associations every (minutes) field to 480.16.
-
In the IPsec (Phase 2) section, set the Renegotiate IPsec security associations every (seconds) field to 3600.
-
-
Click OK.
Additional settings in Check Point SmartConsole
-
To set up a Check Point firewall policy, add a rule for VPN traffic for the specific VPN Domain in the Check Point SmartConsole.
In the example below, we have created a policy to allow traffic from the Harmony SASE Network 10.255.0.0/16 to specific destinations and services. Note that the network configuration may differ if you have not changed the default settings during Harmony SASE network creation. For testing purposes, you should initially allow any/any or allow before making the firewall policy more restrictive.
-
Publish and install the policy.
To configure the Tunnel in Harmony SASE Administrator Portal, see Configuring the Tunnel in the Harmony SASE Administrator Portal.
To configure the Routes Table in Harmony SASE Administrator Portal, see Routes Table.