In This Section: |
This section describes how to set up and manage Remote Access and Site to Site VPN.
In the VPN > Remote Access Blade Control page you can establish secure encrypted connections between home desktops and laptops and the organization through the Internet.
For remote access, you must define users in the system with credentials and set permissions for specified users. The appliance must be accessible from the Internet.
Note - Remote Access applies to traffic from IPv4 addresses only.
These are supported remote access connection methods:
We highly recommend that you first configure DDNS or a static IP Internet connection on the appliance. If you do not use a static IP, your appliance's IP address can vary based on to your Internet Service Provider. DDNS lets home users connect to the organization by name and not IP address that can change. See Device > DDNS for more details.
To configure DDNS, click the DDNS link or the Internet link for static IP.
To enable or disable VPN Remote Access:
Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.
To configure the default access policy through remote access:
VPN Remote Access methods:
By default, Check Point VPN clients is enabled.
To configure VPN remote access methods:
The Usage window opens.
To manage SSL VPN bookmarks:
The VPN > Advanced page opens.
A new window opens.
Note - If you select Global bookmark, all users see this bookmark.
If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. These credentials are sent to the end user.
Note - If you select Show characters, the password characters are visible.
You can also specify the screen size of the remote desktop. The default mode is full screen.
To manage bookmarks:
To assign a VPN certificate:
The Certificate authentication window opens. The list of uploaded certificates shows in the drop down menu.
Note - You cannot select the default Web portal certificate.
To send users remote access usage instructions:
To change the Remote Access port settings:
If the default remote access port (port 443) and a server use the same port, a conflict message shows. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default.
The Remote Access Port Settings window opens.
In the VPN > Remote Access Users page you can configure remote access permissions for users and groups.
Users and user groups can be configured in other pages as well (Users & Objects > Users). This page is dedicated to those with remote access permissions. You can add through it:
You can also set SSL VPN bookmarks by user, user group, and Active Directory group.
If no authentication servers are defined, click the Active Directory / RADIUS server link to define them.
Note that when User Awareness is turned off, there is no user identification based on Browser-Based Authentication and Active Directory Queries.
To add a new local user with remote access permissions:
Enter the expiration date and time.
The user is added to the table on the page.
To add a new local users group with remote access permissions:
You can see a summary of the group members above the user list. You can remove members by clicking the X next to the relevant user name.
The group is added to the table on the page.
To add remote access permissions to an existing Active Directory group:
The Active Directory group is added to the table on the page.
To add remote access permissions to all users in defined in an Active Directory:
Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option.
The Active Directory is added to the table on the page.
To add remote access permissions for users defined in the RADIUS group:
The RADIUS server or specific users from the RADIUS server are added to the table on the page.
To configure SSL VPN bookmarks:
A new window opens.
Note - If you select Global bookmark, this bookmark is always shown.
To edit a user or group:
To delete a user or group:
The user or group is deleted.
In the Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for users in that database.
You can define these types of authentication servers:
To add a RADIUS server:
Note - if you want to remove information you entered in IP address and shared secret, you can click Clear.
The primary and secondary servers (if defined) are added to the RADIUS section on the page.
RADIUS servers can be used for:
To edit a RADIUS server:
The changes are updated in the RADIUS server.
To delete a RADIUS server:
Click the Remove link next to the RADIUS server you want to delete.
The RADIUS server is deleted.
To configure remote access permissions for users defined in the RADIUS server:
To add an Active Directory domain:
The Add new Domain window opens.
When an Active Directory is defined, you can select it from the table and choose Edit or Delete when necessary.
When you edit, note that the Domain information is read-only and cannot be changed.
When you add a new Active Directory domain, you cannot create another object using an existing domain.
To configure remote access permissions for all users defined in Active Directory:
By default, users defined in the Active Directory are not given remote access permissions. Instead, in the VPN > Remote Access Users page all users defined locally or in Active Directories can be selected to be granted remote access permissions per user.
Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option and configure remote access permissions through VPN > Remote Access Users page.
To change synchronization mode with the defined Active Directories:
To edit an Active Directory:
To delete an Active Directory:
The Active Directory is deleted.
Note - This page is available from the VPN and Users & Objects tabs.
In the VPN > Remote Access Advanced page you can configure more advanced settings to determine VPN remote access users' behavior.
You can also add bookmarks (HTML links or RDP links) for specified URLs or computers when you connect through SSL VPN (see below). The next time you log in, your bookmarks are shown.
What is Office Mode?
Remote access VPN clients connect through a VPN tunnel from their homes to the appliance and from there they can gain access into the organization's resources.
The appliance assigns each remote access user an IP address from a specified network so that the traffic inside the organization is not aware that it originated from outside the organization.
This technology is called Office Mode and the network used for supplying the IP addresses is configurable.
To configure the Office Mode network:
To assign a VPN certificate:
The list of uploaded certificates shows.
Note - You cannot select the default Web portal certificate.
To route all traffic from VPN remote access clients through the gateway:
Normally, only traffic from the VPN clients into the organization's encryption domain is encrypted and sent through the VPN tunnel to the gateway. Selecting the above checkbox causes all traffic from the VPN clients to be encrypted and sent to the gateway. Traffic to locations outside the organization are enforced in this case by the outgoing access Policy. For more information, see Access Policy Firewall Blade Control and Policy pages.
Note - This setting does not apply to traffic from SSL Network Extender clients.
To manually configure a local encryption domain for remote access users only:
The local encryption domains are the internal networks accessible by encrypted traffic from remote access VPN users. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain.
Optionally, you can manually create a local encryption domain to be used by remote access users only instead. It is possible to configure a different manual local encryption domain for VPN remote access and VPN site to site. See VPN > Site to Site Blade Control page.
The Remote Access Local Encryption Domain window opens and shows the services you selected.
DNS Servers for Remote Access users
You can define up to three DNS servers for Remote Access clients. By default, the Office mode first DNS for clients is set to this gateway.
To use a different DNS Primary server:
DNS domain name
You can set a DNS domain name that the Remote Access clients' devices automatically use to attempt to resolve non-FQDN domains. By default, the suffix is automatically configured to take the DNS domain name configured in the DNS page.
To configure a manual DNS domain name:
To configure the DNS domain name to be the same as the defined DNS domain name:
The DNS domain name shows the text "Same as DNS domain name".
To configure SSL VPN bookmarks:
A new window opens.
Note - If you select Global bookmark, this bookmark is always shown.
To set SSL VPN bookmarks:
A new window opens.
Note - If you select Global bookmark, this bookmark is shown to all users.
If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. These credentials are sent to the end user.
Note - If Show characters is selected, the password characters are shown.
You can also specify the screen size of the remote desktop. The default mode is full screen.
To manage bookmarks:
In the VPN > Site to Site Blade Control page you can activate the appliance's ability to create VPN tunnels with remote sites. Site to Site VPN can connect two networks separated by the Internet through a secure encrypted VPN tunnel. This allows for seamless secure interaction between the two networks within the same organization even though they are physically distant from each other.
On this page you can activate the blade to allow site to site connectivity. You can view how many sites are already defined and configure basic access policy from the remote sites into the specific network accessible by this gateway.
The remote site can be accessible through another Check Point appliance (recommended) or a 3rd party VPN solution.
Once defined, access to the remote site is determined by the incoming/internal/VPN traffic Rule Base as seen in the Access Policy > Firewall Policy page. This is due to the fact that the remote site's encryption domain is considered part of the organization even though traffic to it is technically outgoing to the Internet (since it is now VPN traffic).
To enable/disable the VPN Site to Site blade:
Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.
A warning icon is shown if the blade is active but no VPN sites are defined. Click VPN Sites to add a VPN site or see how many VPN sites are defined. The full list of the sites is located in VPN > Site to Site VPN Sites.
To configure the default access policy from remote VPN sites:
Local Encryption Domain
The local encryption domain defines the internal networks accessible by encrypted traffic from remote sites and networks, that traffic from them to remote sites is encrypted. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain instead. See the VPN > Site to Site Advanced page for instructions.
In the VPN > Site to Site VPN Sites page you can configure remote VPN sites. For more on how to configure site to site VPN, go to VPN > Site to Site Blade Control.
When you add a new VPN site, these are the tabs where you configure these details:
To add a new VPN site:
The New VPN Site window opens in the Remote Site tab.
Note - Behind static NAT applies to IPv4 addresses only.
In the Encryption tab you can change the default settings. There are built in encryption settings' groups that only need to match in this configuration and in the remote site.
In the Advanced tab:
Select the IKE version:
If you select IKEv1:
The modes for IKE negotiation are main mode and aggressive mode. For IKE negotiation, main mode uses six packets and aggressive mode uses three packets. We recommend you use main mode which is more secure. By default, Enable aggressive mode is not selected and main mode is used. Enable aggressive mode only if necessary and the other side of the VPN tunnel does not support main mode. (Third party gateways primarily do not work in main mode.)
Aggressive mode is used to create a tunnel and one of the gateways is behind NAT. In this case, a pre-shared secret does not provide enough data for authentication in main mode. Authentication must be done using a certificate and a gateway (peer) ID, or a secondary identifier couple that is available in aggressive mode. The secondary identifier method is also available in IKEv2.
If you select Enable aggressive mode for IKEv1:
For more information on installing the certificate, see Certificates - Installed Certificates.
Notes:
If you select IKEv2:
When you create a tunnel and one of the gateways is behind NAT without a certificate (uses a pre-shared secret), with IKEv2 protocol you can use a secondary identifier couple to allow authentication. In this case, the pre-shared secret is not enough.
Select to Create IKEv2 VPN tunnel using these identifiers:
If you select Prefer IKEv2, support IKEv1, configure the fields as explained for the first two options.
When you select certificate matching in the Remote Site tab, you first need to add the CA that signed the remote site's certificate in the VPN > Certificates Trusted CAs page. In the Advanced tab, you can select to match the certificate to Any Trusted CA or an Internal CA. You can also configure more matching criteria on the certificate.
This section is shown only when you select High Availability or Load Sharing for the connection type in the Remote Site tab. When the remote site has multiple IP addresses for VPN traffic, the correct address for VPN is discovered through one of these probing methods:
When you finish the new VPN site configuration, click Apply.
An initial tunnel test begins with the remote site. If you have not yet configured it, click Skip. The VPN site is added to the table.
Locally managed gateways can be part of these site to site communities:
For examples of when to use a mesh or star community, see VPN Community Use Cases.
To configure a gateway as the center:
The Edit VPN Site window opens.
This gateway is now designated as the center. Hide NAT is done automatically in the center gateway.
To configure a gateway as a satellite:
The Edit VPN Site window opens.
This gateway is now designated as a satellite.
You can configure more than one satellite gateway to route all traffic through the center gateway.
If you try to configure two gateways to be the center, an error message shows.
If you do not configure one gateway as a center, the site to site VPN acts like a mesh community and each gateway continues to handle its own traffic.
To run a tunnel test with a remote site:
Check Point uses a proprietary protocol to test if VPN tunnels are active. It supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways and uses UDP port 18234. Check Point tunnel testing protocol does not support 3rd party Security Gateways.
To edit a VPN site:
To delete a VPN site:
The VPN site is deleted.
To disable or enable the VPN site:
The VPN site is disabled or enabled.
Q: A system administrator is responsible for 6 gateways and wants to share network resources between the satellite branches. Which type of VPN community is preferable?
A: A star VPN community is preferable as every gateway does not have to create a VPN tunnel with all of the others. Instead, the 5 satellite peer gateways will each create one site to site star VPN community to the center gateway. Only the star gateway (center) must create a site to site from itself to each of the remote peers.
Q: A center gateway handles all the traffic in the VPN community. When the gateway reboots, all the other gateways' internet traffic is affected, and they lose access to the remote peer encryption domain until the center gateway comes back up. How can the administrator avoid this downtime?
A: In this case, a mesh community is better as each gateway can handle its own internet traffic and is not affected by any other gateway.
Note - This page is relevant only if Cloud Services is turned on.
In the VPN > Site to Site Community page you can see details of the community members configured for this appliance by Cloud Services. The information here is read-only and you cannot update details. The settings configured by Cloud Services for the VPN > Site to Site software blade are used by the community members.
The Community page shows:
To test the VPN connection for a site:
If the test succeeds, a success message is shown. Click OK to close it.
If the test does not succeed, click Details for more information. If applicable, click Retry.
To see the details of a site configured by Cloud Services:
Select a site and click View Details.
The View Site Details window opens and shows:
For descriptions of the fields in the site details tabs, see Configuring VPN Sites.
In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.
This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.
Field |
Description |
---|---|
From |
Host name or IP address of the tunnel’s source gateway. |
Site Name |
Name of the VPN site name. |
Peer Address |
Host name or IP address of the tunnel’s destination gateway. |
Community Name |
If the gateways are part of a community configured by Cloud Services, the community name with which the tunnel is associated. |
Status |
VPN tunnel status indication. |
To filter the list:
In the Type to filter box, enter the filter criteria.
The list is filtered.
To refresh the list:
Click Refresh to manually refresh this page with updated tunnel information.
Note - This page is available from the VPN and Logs & Monitoring tabs.
In the VPN > Site to Site Advanced page you can configure global advanced options that define how the appliance connects to remote sites.
The configuration options on this page answer these configuration questions:
Configuring a Local Encryption Domain
In domain based VPN, traffic is encrypted when it originates in one encryption domain and is transmitted to a different domain.
The local encryption domain defines:
By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain if necessary.
To manually configure a local encryption domain:
The Site to Site Local Encryption Domain window opens and shows the services you selected.
Configuring the Appliance's Interfaces
Link Selection is a method used to:
In addition, with the Link Selection mechanisms, the administrator can select which source IP addresses are used for VPN traffic.
The default configuration to select an outgoing interface and source IP address is for the device to determine them automatically. Alternatively, you can change the default settings and select other means to determine:
To configure the appliance’s outgoing interfaces and source IP address for VPN:
Tunnel Health Monitoring
Dead Peer Detection (DPD) is an additional keepalive mechanism supported by the Check Point Security Gateway to test if VPN tunnels are active. DPD uses IPsec traffic to minimize the number of messages required to confirm the availability of a peer and requires an IPsec established tunnel. The DPD mechanism is based on IKE encryption keys only.
The feature also allows you to monitor permanent tunnels based on DPD for both IKEv1 and IKEv2.
In active mode, a peer that is configured as DPD receives DPD Hello requests at regular intervals if there is no incoming IPSec traffic for 10 seconds.
To test if a VPN tunnel is active:
Select a Tunnel health monitoring method
In DPD responder mode, the Check Point gateway sends the IKEv1 Vendor ID to peers from which the DPD Vendor ID was received and answers incoming DPD packets.
To enable DPD responder mode:
Click the checkbox.
In the VPN > Certificates Trusted CAs page you can add CAs used by remote sites' certificates to enable a VPN or WebUI certificate. A certificate shown by the remote site must be signed by a CA that is trusted by the appliance. Trusted CAs include both intermediate and root CAs.
This page also shows the built in Internal CA that by default creates the certificates for this appliance. It can also be used to sign remote sites' certificates. You can also export the internal CA to add it to a remote site's trusted CA list.
When Cloud Services is turned on and the appliance is configured by a Cloud Services Provider, the CA of the Cloud Services Provider is downloaded automatically to the appliance. The Cloud Services Provider CA is used by community members configured by Cloud Services. Note that if you turn Cloud Services off, the Cloud Services Provider CA is removed.
Recommended configurations
When you use certificate based site to site VPN with only one remote site, we recommend you export each site's Internal CA and add it to the other site's Trusted CA list.
When you use certificate based site to site VPN with multiple remote sites, in a mesh configuration, we recommend for all sites to use one CA to sign their internally used certificates on appliances that support creating signing requests. You must also add the same CA to all sites' Trusted CAs list. That CA can be an external CA service like Verisign (for a fee) or simply use this appliance's Internal CA. See below how to use it to sign external requests.
To add a trusted CA:
To edit a trusted CA's configuration:
To delete a trusted CA:
To export the Internal CA (or other previously imported CAs):
To sign a remote site's certificate request by the Internal CA:
The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.
On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name.
You can upload a certificate signed by an intermediate CA or root CA. All intermediate and root CAs found in the P12 file are automatically uploaded to the trusted CAs list.
Note - This page is available from the Device and VPN tabs.
On the VPN Remote Access Blade Control page, after you enable the SSL VPN feature, you can select and assign a certificate from the list of the installed certificates (with the exception of the Default Web Portal certificate). You can also do this on the Remote Access Advanced tab.
On the Device > Device Details page, you can select and assign a Web portal certificate from the list of installed certificates (with the exception of the Default certificate).
Installed certificates are used in site-to-site VPN, SSL VPN, and the Web portal.
When Cloud Services is turned on and the appliance is configured by Cloud Services, the Cloud Services Provider certificate is downloaded automatically to the appliance. The Cloud Services Provider certificate is used by community members configured by Cloud Services. Note - If you turn Cloud Services off, the Cloud Services Provider certificate is removed.
These are the steps to create a signed certificate:
To create a new certificate to be signed by a CA:
The new signing request is added to the table and the status shows "Waiting for signed certificate".
Note - You cannot edit the request after it is created.
If the new signing request is signed by the Internal CA and the Organization Name is not defined in the DN, the Internal CA automatically generates the Organization Name.
To export the signing request:
Click Export.
To upload the signed certificate when you receive the signed certificate from the CA:
The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".
To upload a P12 file:
In the Certificates Internal Certificate page you can view details of an internal VPN certificate. You can also view and reinitialize the certificate used by the internal CA that signed the certificate and can be used to sign external certificates.
Note - This page is available from the Device and VPN tabs.
When you create an internal VPN certificate, when a certificate that is signed by the internal CA is used, the CA's certificate must be reinitialized when the Internet connection's IP addresses change.
To avoid constant reinitialization, we recommend you use the DDNS feature. See Device > DDNS. When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates.
To reinitialize certificates:
The Reinitialize Certificates window opens.
Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.
To replace an internal CA certificate:
The Upload a P12 Certificate window opens.
Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
To export an internal CA certificate:
Click Export Internal CA Certificate to download the internal CA certificate.
To sign a remote site's certificate request by the internal CA:
The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.