Print Download PDF Send Feedback

Previous

Next

Managing VPN

In This Section:

Remote Access Blade Control

Remote Access Users

Remote Access Authentication Servers

Remote Access Advanced

Site to Site Blade Control

Site to Site VPN Sites

Site to Site Community

Site to Site VPN Tunnels

Site to Site Advanced

Certificates - Trusted CAs

Certificates - Installed Certificates

Certificates - Internal Certificates

This section describes how to set up and manage Remote Access and Site to Site VPN.

Remote Access Blade Control

In the VPN > Remote Access Blade Control page you can establish secure encrypted connections between home desktops and laptops and the organization through the Internet.

For remote access, you must define users in the system with credentials and set permissions for specified users. The appliance must be accessible from the Internet.

Note - Remote Access applies to traffic from IPv4 addresses only.

These are supported remote access connection methods:

We highly recommend that you first configure DDNS or a static IP Internet connection on the appliance. If you do not use a static IP, your appliance's IP address can vary based on to your Internet Service Provider. DDNS lets home users connect to the organization by name and not IP address that can change. See Device > DDNS for more details.

To configure DDNS, click the DDNS link or the Internet link for static IP.

To enable or disable VPN Remote Access:

  1. Select On or Off.
  2. Click Apply.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.

To configure the default access policy through remote access:

  1. Select or clear the Allow traffic from Remote Access users (by default) checkbox. When cleared, access from Remote Access users to resources in the organization must be defined for each resource using the Access Policy > Servers page or by manually defining access rules in the Access Policy > Firewall Policy page.
  2. Select or clear the Log traffic from Remote Access users (by default) checkbox.
  3. Click Apply.

VPN Remote Access methods:

By default, Check Point VPN clients is enabled.

To configure VPN remote access methods:

  1. Select the checkbox next to the desired method and click How to connect...

    The Usage window opens.

  2. Follow the instructions. You can also receive these instructions by email.
  3. Close the window and click Apply.

To manage SSL VPN bookmarks:

  1. Select the SSL VPN checkbox.
  2. Click Apply.
  3. Click Manage SSL VPN bookmarks.

    The VPN > Advanced page opens.

  4. In SSL VPN bookmarks, click New to create new bookmarks.

    A new window opens.

  5. Enter these details:
    • URL

    Note - If you select Global bookmark, all users see this bookmark.

    • Type - Link or RDP (remote desktop protocol)
    • Label - The bookmark name
    • Tooltip - Description
  6. Click Apply.

If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. These credentials are sent to the end user.

Note - If you select Show characters, the password characters are visible.

You can also specify the screen size of the remote desktop. The default mode is full screen.

To manage bookmarks:

  1. Click on a bookmark.
  2. Click Edit or Delete.
  3. Click Apply

To assign a VPN certificate:

  1. Select the SSL VPN check box.
  2. Click Certificate authentication.

    The Certificate authentication window opens. The list of uploaded certificates shows in the drop down menu.

  3. Select the certificate name.

    Note - You cannot select the default Web portal certificate.

  4. Click Apply.

To send users remote access usage instructions:

  1. Click the How to connect link next to the relevant remote access method.
  2. Click the E-mail these instructions to automatically open a pre-filled email that contains the instructions.
  3. Click Close.

To change the Remote Access port settings:

If the default remote access port (port 443) and a server use the same port, a conflict message shows. You must change the default remote access port if the Check Point VPN client, Mobile client, or SSL VPN remote access methods are enabled as they use port 443 by default.

  1. Click the Change port link.

    The Remote Access Port Settings window opens.

  2. In Remote Access port, enter a new port number.
  3. Make sure Reserve port 443 for port forwarding is selected.
  4. Click Apply.

Remote Access Users

In the VPN > Remote Access Users page you can configure remote access permissions for users and groups.

Users and user groups can be configured in other pages as well (Users & Objects > Users). This page is dedicated to those with remote access permissions. You can add through it:

You can also set SSL VPN bookmarks by user, user group, and Active Directory group.

If no authentication servers are defined, click the Active Directory / RADIUS server link to define them.

Note that when User Awareness is turned off, there is no user identification based on Browser-Based Authentication and Active Directory Queries.

To add a new local user with remote access permissions:

  1. Click Add > New Local User.
  2. In the Remote Access tab, enter the necessary details.
  3. For temporary or guest users, click Temporary user.

    Enter the expiration date and time.

  4. Do not clear the Remote Access permissions checkbox.
  5. In the SSL VPN Bookmarks tab, configure the SSL VPN bookmarks (see below).
  6. Click Apply.

    The user is added to the table on the page.

To add a new local users group with remote access permissions:

  1. Click Add > New Users Group.
  2. In the Remote Access tab, enter the group name.
  3. Do not clear the Remote Access permissions checkbox.
  4. Select initial users to add to the group by clicking the relevant checkboxes from the user list or click New to create new users.

    You can see a summary of the group members above the user list. You can remove members by clicking the X next to the relevant user name.

  5. In the SSL VPN Bookmarks tab, configure the SSL VPN bookmarks (see below).
  6. Click Apply.

    The group is added to the table on the page.

To add remote access permissions to an existing Active Directory group:

  1. Click Add > Active Directory Group.
  2. If no Active Directory was defined, you are prompted to configure one. For more information on configuring Active Directory see VPN > Authentication Servers.
  3. When an Active Directory has been defined, you see a list of available user groups defined in the server.
  4. Select one of the user groups.
  5. Click Apply.

    The Active Directory group is added to the table on the page.

To add remote access permissions to all users in defined in an Active Directory:

  1. Click Edit Permissions or Add > Active Directory Permissions.
  2. Select All users in Active Directory. With this option, it is not necessary to use the VPN > Remote Access Users page to select specific users.

    Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option.

  3. Click Apply.

    The Active Directory is added to the table on the page.

To add remote access permissions for users defined in the RADIUS group:

  1. Click Add > RADIUS Group.
  2. If no RADIUS group was defined, you are prompted to configure one.
  3. Select or clear the Enable RADIUS authentication for remote access users checkbox.
  4. When selected, choose which users are given remote access permissions:
    • To allow all users defined in the RADIUS server to authenticate - Select All users defined on RADIUS server
    • Specific user groups defined in the RADIUS server - Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas
    • To allow administrators with read-only permissions to authenticate - Select Read-only Administrators
  5. Click Apply.

    The RADIUS server or specific users from the RADIUS server are added to the table on the page.

To configure SSL VPN bookmarks:

  1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    A new window opens.

  2. Enter new bookmarks or select existing bookmarks.

    Note - If you select Global bookmark, this bookmark is always shown.

  3. Click Apply.

To edit a user or group:

  1. Select the user or group from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete a user or group:

  1. Select the user or group from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The user or group is deleted.

Remote Access Authentication Servers

In the Authentication Servers page you can define and view different authentication servers where users can define both an external user database and the authentication method for users in that database.

You can define these types of authentication servers:

To add a RADIUS server:

  1. Click Configure.
  2. In the Primary tab, enter this information:
    • IP address - The IP address of the RADIUS server.
    • Port - The port number through which the RADIUS server communicates with clients. The default is 1812.
    • Shared secret - The secret (pre-shared information used for message "encryption") between the RADIUS server and the Check Point Appliance. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
      • Show - Displays the shared secret.
    • Timeout (seconds) - A timeout value in seconds for communication with the RADIUS server. The timeout default is 3 seconds.
  3. Repeat step 2 for a Secondary RADIUS server if applicable.

    Note - if you want to remove information you entered in IP address and shared secret, you can click Clear.

  4. Click Apply.

    The primary and secondary servers (if defined) are added to the RADIUS section on the page.

RADIUS servers can be used for:

To edit a RADIUS server:

  1. Click the IP address link of the RADIUS server you want to edit.
  2. Make the necessary changes.
  3. Click Apply.

    The changes are updated in the RADIUS server.

To delete a RADIUS server:

Click the Remove link next to the RADIUS server you want to delete.

The RADIUS server is deleted.

To configure remote access permissions for users defined in the RADIUS server:

  1. Click permissions for RADIUS users.
  2. Select or clear the Enable RADIUS authentication for remote access users checkbox.
  3. When selected, choose which users are given remote access permissions:
    • To allow all users defined in the RADIUS server to authenticate - Select All users defined on RADIUS server
    • Specific user groups defined in the RADIUS server - Select For specific RADIUS groups only and enter in the text field the names of the user groups separated by commas.
    • To allow administrators with Read-only permissions to authenticate - Select Read-only Administrators
  4. Click Apply.

To add an Active Directory domain:

  1. In the Active Directory section, click New.

    The Add new Domain window opens.

  2. Enter this information:
    • Domain - The domain name.
    • IP address - The IP address of one of the domain controllers of your domain.
    • User name - The user must have administrator privileges to ease the configuration process and create a user based policy using the users defined in the Active Directory.
    • Password - The user's password. You cannot use these characters when you enter a password or shared secret: { } [ ] ` ~ | ‘ " # + \
    • User DN - Click Discover for automatic discovery of the DN of the object that represents that user or enter the user DN manually. For example: CN=John James,OU=RnD,OU=Germany,O=Europe,DC=Acme,DC=com
  3. Select Use user groups from specific branch only if you want to use only part of the user database defined in the Active Directory. Enter the branch in the Branch full DN in the text field.
  4. Click Apply.

When an Active Directory is defined, you can select it from the table and choose Edit or Delete when necessary.

When you edit, note that the Domain information is read-only and cannot be changed.

When you add a new Active Directory domain, you cannot create another object using an existing domain.

To configure remote access permissions for all users defined in Active Directory:

By default, users defined in the Active Directory are not given remote access permissions. Instead, in the VPN > Remote Access Users page all users defined locally or in Active Directories can be selected to be granted remote access permissions per user.

  1. Click permissions for Active Directory users.
  2. Select All users in the Active Directory. With this option, it is not necessary to go to the VPN > Remote Access Users page and select specific users.

    Note that most Active Directories contain a large list of users and you might not want to grant them all remote access permissions to your organization. Usually you keep the Selected Active Directory user groups option and configure remote access permissions through VPN > Remote Access Users page.

  3. Click Apply.

To change synchronization mode with the defined Active Directories:

  1. Click Configure in the toolbar of the Active Directory table.
  2. Select one of the options - Automatic synchronization or Manual synchronization. When Manual synchronization is selected, you can sync the user database known to the appliance in all locations that this user database can be viewed. For example, the Users & Objects > Users page or the Source picker in the Firewall Rule Base in the Access Policy > Firewall Policy page.
  3. Click Apply.

To edit an Active Directory:

  1. Select the Active Directory from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete an Active Directory:

  1. Select the Active Directory from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The Active Directory is deleted.

Note - This page is available from the VPN and Users & Objects tabs.

Remote Access Advanced

In the VPN > Remote Access Advanced page you can configure more advanced settings to determine VPN remote access users' behavior.

You can also add bookmarks (HTML links or RDP links) for specified URLs or computers when you connect through SSL VPN (see below). The next time you log in, your bookmarks are shown.

What is Office Mode?

Remote access VPN clients connect through a VPN tunnel from their homes to the appliance and from there they can gain access into the organization's resources.

The appliance assigns each remote access user an IP address from a specified network so that the traffic inside the organization is not aware that it originated from outside the organization.

This technology is called Office Mode and the network used for supplying the IP addresses is configurable.

To configure the Office Mode network:

  1. Enter the Office Network address and Office Subnet Mask.
  2. Click Apply. The default setting for office mode is 172.16.10.0\24.

To assign a VPN certificate:

  1. Click the downward arrow next to the VPN Remote Access certificate field.

    The list of uploaded certificates shows.

  2. Select the desired certificate.

    Note - You cannot select the default Web portal certificate.

  3. Click Apply.

To route all traffic from VPN remote access clients through the gateway:

  1. Select the Route Internet traffic from connected clients through this gateway checkbox.
  2. Click Apply.

Normally, only traffic from the VPN clients into the organization's encryption domain is encrypted and sent through the VPN tunnel to the gateway. Selecting the above checkbox causes all traffic from the VPN clients to be encrypted and sent to the gateway. Traffic to locations outside the organization are enforced in this case by the outgoing access Policy. For more information, see Access Policy Firewall Blade Control and Policy pages.

Note - This setting does not apply to traffic from SSL Network Extender clients.

To manually configure a local encryption domain for remote access users only:

The local encryption domains are the internal networks accessible by encrypted traffic from remote access VPN users. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain.

Optionally, you can manually create a local encryption domain to be used by remote access users only instead. It is possible to configure a different manual local encryption domain for VPN remote access and VPN site to site. See VPN > Site to Site Blade Control page.

  1. Click on the local encryption domain link: automatically according to topology or manually. The link shown is a reflection of what is currently configured.
  2. Select Define local network topology manually.
  3. Click Select to show the full list of available networks and choose the relevant checkboxes.
  4. Click New if the existing list does not contain the networks you need. For information on creating a new network object, see the Users & Objects > Network Objects page.
  5. Click Apply.

    The Remote Access Local Encryption Domain window opens and shows the services you selected.

DNS Servers for Remote Access users

You can define up to three DNS servers for Remote Access clients. By default, the Office mode first DNS for clients is set to this gateway.

To use a different DNS Primary server:

  1. Click Configure manually.
  2. In Office mode first DNS for clients, enter the IP address of a server to use as the DNS server.
  3. Click Apply.

DNS domain name

You can set a DNS domain name that the Remote Access clients' devices automatically use to attempt to resolve non-FQDN domains. By default, the suffix is automatically configured to take the DNS domain name configured in the DNS page.

To configure a manual DNS domain name:

  1. Click Configure manually.
  2. In DNS domain name, enter the DNS domain name suffix to use.
  3. Click Apply.

To configure the DNS domain name to be the same as the defined DNS domain name:

  1. Click Configure automatically.
  2. Click Apply.

    The DNS domain name shows the text "Same as DNS domain name".

To configure SSL VPN bookmarks:

  1. Click Add > New Local User/Users Group/Active Directory Group > SSL VPN Bookmarks tab.

    A new window opens.

  2. Enter new bookmarks or select existing bookmarks.

    Note - If you select Global bookmark, this bookmark is always shown.

  3. Click Apply.

To set SSL VPN bookmarks:

  1. In SSL VPN bookmarks, click New to create new bookmarks.

    A new window opens.

  2. Enter these details:
    • URL

    Note - If you select Global bookmark, this bookmark is shown to all users.

    • Type - Link or RDP (remote desktop protocol)
    • Label - The bookmark name
    • Tooltip - Description
  3. Click Apply.

If you select RDP as the bookmark type, you must enter the user name and password in the RDP Advanced Settings. These credentials are sent to the end user.

Note - If Show characters is selected, the password characters are shown.

You can also specify the screen size of the remote desktop. The default mode is full screen.

To manage bookmarks:

  1. Click on a bookmark.
  2. Click Edit or Delete.
  3. Click Apply.

Site to Site Blade Control

In the VPN > Site to Site Blade Control page you can activate the appliance's ability to create VPN tunnels with remote sites. Site to Site VPN can connect two networks separated by the Internet through a secure encrypted VPN tunnel. This allows for seamless secure interaction between the two networks within the same organization even though they are physically distant from each other.

On this page you can activate the blade to allow site to site connectivity. You can view how many sites are already defined and configure basic access policy from the remote sites into the specific network accessible by this gateway.

The remote site can be accessible through another Check Point appliance (recommended) or a 3rd party VPN solution.

Once defined, access to the remote site is determined by the incoming/internal/VPN traffic Rule Base as seen in the Access Policy > Firewall Policy page. This is due to the fact that the remote site's encryption domain is considered part of the organization even though traffic to it is technically outgoing to the Internet (since it is now VPN traffic).

To enable/disable the VPN Site to Site blade:

  1. Select On or Off.
  2. Click Apply.

Note - When the blade is managed by Cloud Services, a lock icon is shown. You cannot toggle between the on and off states. If you change other policy settings, the change is temporary. Any changes made locally will be overridden in the next synchronization between the gateway and Cloud Services.

A warning icon is shown if the blade is active but no VPN sites are defined. Click VPN Sites to add a VPN site or see how many VPN sites are defined. The full list of the sites is located in VPN > Site to Site VPN Sites.

To configure the default access policy from remote VPN sites:

  1. Select or clear the Allow traffic from remote sites (by default) checkbox. It is not recommended to clear this checkbox, as the remote site is usually part of your organization.
  2. Select or clear the Log remote sites traffic (by default) checkbox.
  3. Click Apply.

Local Encryption Domain

The local encryption domain defines the internal networks accessible by encrypted traffic from remote sites and networks, that traffic from them to remote sites is encrypted. By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain instead. See the VPN > Site to Site Advanced page for instructions.

Site to Site VPN Sites

In the VPN > Site to Site VPN Sites page you can configure remote VPN sites. For more on how to configure site to site VPN, go to VPN > Site to Site Blade Control.

When you add a new VPN site, these are the tabs where you configure these details:

To add a new VPN site:

  1. Click New.

    The New VPN Site window opens in the Remote Site tab.

  2. Enter the Site name.
  3. Select the Connection type:
    • Host name or IP address - Enter the IP address or Host name. If you select IP address, and it is necessary to configure a static NAT IP address, select Behind static NAT and enter the IP address.

      Note - Behind static NAT applies to IPv4 addresses only.

    • High Availability or Load Sharing - Configure a list of backup IP addresses in case of failure (High Availability) or to distribute data (Load Sharing). The appliance uses probing to monitor the remote site’s IP addresses. In High Availability, you can configure one of the IP addresses as the primary.
      When you select this option, you must configure a probing method on the Advanced tab. The probing method monitors which IP addresses to use for VPN: ongoing or one at a time.
      Click New to add an IP address and set a Primary IP address if necessary for High Availability.
    • Only remote site initiates VPN - Connections can only be initiated from the remote site to this appliance. For example, when the remote site is hidden behind a NAT device. In this scenario, this appliance only responds to the tunnel initiation requests. This requires a secure method of remote site authentication and identification.
  4. Select an authentication method. This must match the authentication you used to configure this appliance as the other gateway's remote site.
    • Preshared secret - If you select this option, enter the same password as configured in the remote gateway and confirm it. Note - You cannot use these characters when you enter a shared secret [ ] '~|`"
    • Certificate - The gateway uses its own certificate to authenticate itself. For more information, see VPN > Internal Certificate.
  5. Select the Remote Site Encryption Domain. Configure the conditions to encrypt traffic and send to this remote site.
    • Define remote network topology manually - Traffic is encrypted when the destination is included in the list of network objects. Click Select to select the networks that represent the remote site's internal networks. Click New to create network objects.
    • Route all traffic through this site - All traffic is encrypted and sent to this remote site. You cannot configure more than one remote site.
    • Encrypt according to routing table - If you use dynamic routing, encrypts traffic based on source or service and destination. You must create a virtual tunnel interface (VTI) in the Device > Local Network page and associate it with this remote site. You can then use this VTI to create routing rules. Traffic that matches these routing rules is encrypted and routed to the remote site.
    • Hidden behind external IP of the remote gateway - If the remote site is behind NAT and traffic is initiated from behind the remote site to this gateway. When you select this option, it is not necessary to define an encryption domain.
  6. Exclude networks - Select this option to exclude networks from the specified encryption domain. This may be useful if two gateways are in the same community and protect the same parts of the network.
  7. Click Apply.

In the Encryption tab you can change the default settings. There are built in encryption settings' groups that only need to match in this configuration and in the remote site.

In the Advanced tab:

If you select IKEv1:

The modes for IKE negotiation are main mode and aggressive mode. For IKE negotiation, main mode uses six packets and aggressive mode uses three packets. We recommend you use main mode which is more secure. By default, Enable aggressive mode is not selected and main mode is used. Enable aggressive mode only if necessary and the other side of the VPN tunnel does not support main mode. (Third party gateways primarily do not work in main mode.)

Aggressive mode is used to create a tunnel and one of the gateways is behind NAT. In this case, a pre-shared secret does not provide enough data for authentication in main mode. Authentication must be done using a certificate and a gateway (peer) ID, or a secondary identifier couple that is available in aggressive mode. The secondary identifier method is also available in IKEv2.

If you select Enable aggressive mode for IKEv1:

For more information on installing the certificate, see Certificates - Installed Certificates.

Notes:

If you select IKEv2:

When you create a tunnel and one of the gateways is behind NAT without a certificate (uses a pre-shared secret), with IKEv2 protocol you can use a secondary identifier couple to allow authentication. In this case, the pre-shared secret is not enough.

Select to Create IKEv2 VPN tunnel using these identifiers:

If you select Prefer IKEv2, support IKEv1, configure the fields as explained for the first two options.

When you finish the new VPN site configuration, click Apply.

An initial tunnel test begins with the remote site. If you have not yet configured it, click Skip. The VPN site is added to the table.

Locally managed gateways can be part of these site to site communities:

To configure a gateway as the center:

  1. Select the VPN site from the list.
  2. Click Edit.

    The Edit VPN Site window opens.

  3. In the Remote Site tab:
    1. For Connection type, enter the IP address which is the public IP of the remote peer (satellite gateway).
    2. In the Encryption domain, select the networks of the satellite gateway that will participate in the VPN.
  4. In the Advanced tab, select Allow traffic to the internet from remote site through this gateway.
  5. Click Apply.

    This gateway is now designated as the center. Hide NAT is done automatically in the center gateway.

To configure a gateway as a satellite:

  1. Select the VPN site from the list.
  2. Click Edit.

    The Edit VPN Site window opens.

  3. In the Remote Site tab:
    1. For Connection type, enter the IP address which is the public IP of the remote peer (center gateway).
    2. In the Encryption domain, select Route all traffic through this site.
  4. Click Apply.

    This gateway is now designated as a satellite.

You can configure more than one satellite gateway to route all traffic through the center gateway.

If you try to configure two gateways to be the center, an error message shows.

If you do not configure one gateway as a center, the site to site VPN acts like a mesh community and each gateway continues to handle its own traffic.

To run a tunnel test with a remote site:

Check Point uses a proprietary protocol to test if VPN tunnels are active. It supports any site-to-site VPN configuration. Tunnel testing requires two Security Gateways and uses UDP port 18234. Check Point tunnel testing protocol does not support 3rd party Security Gateways.

  1. Select an existing site from the list.
  2. Click Test.

To edit a VPN site:

  1. Select the VPN site from the list.
  2. Click Edit.
  3. Make the relevant changes and click Apply.

To delete a VPN site:

  1. Select the VPN site from the list.
  2. Click Delete.
  3. Click OK in the confirmation message.

    The VPN site is deleted.

To disable or enable the VPN site:

  1. Select the VPN site from the list.
  2. Click Disable or Enable.

    The VPN site is disabled or enabled.

VPN Community Use Cases

Q: A system administrator is responsible for 6 gateways and wants to share network resources between the satellite branches. Which type of VPN community is preferable?

A: A star VPN community is preferable as every gateway does not have to create a VPN tunnel with all of the others. Instead, the 5 satellite peer gateways will each create one site to site star VPN community to the center gateway. Only the star gateway (center) must create a site to site from itself to each of the remote peers.

Q: A center gateway handles all the traffic in the VPN community. When the gateway reboots, all the other gateways' internet traffic is affected, and they lose access to the remote peer encryption domain until the center gateway comes back up. How can the administrator avoid this downtime?

A: In this case, a mesh community is better as each gateway can handle its own internet traffic and is not affected by any other gateway.

Site to Site Community

Note - This page is relevant only if Cloud Services is turned on.

In the VPN > Site to Site Community page you can see details of the community members configured for this appliance by Cloud Services. The information here is read-only and you cannot update details. The settings configured by Cloud Services for the VPN > Site to Site software blade are used by the community members.

The Community page shows:

To test the VPN connection for a site:

  1. Select the site.
  2. Click Test.

    If the test succeeds, a success message is shown. Click OK to close it.

    If the test does not succeed, click Details for more information. If applicable, click Retry.

To see the details of a site configured by Cloud Services:

Select a site and click View Details.

The View Site Details window opens and shows:

For descriptions of the fields in the site details tabs, see Configuring VPN Sites.

Site to Site VPN Tunnels

In the VPN Tunnels page you can see current VPN tunnels opened between this gateway and remote sites. Some sites are configured so tunnels are established only when necessary and some are configured with permanent tunnels. When the appliance is managed by Cloud Services, this table also shows the tunnels for the gateways in the community.

This page is commonly used to see the permanent tunnels. The table shows each tunnel's details when there is an active VPN tunnel.

Field

Description

From

Host name or IP address of the tunnel’s source gateway.

Site Name

Name of the VPN site name.

Peer Address

Host name or IP address of the tunnel’s destination gateway.

Community Name

If the gateways are part of a community configured by Cloud Services, the community name with which the tunnel is associated.

Status

VPN tunnel status indication.

To filter the list:

In the Type to filter box, enter the filter criteria.

The list is filtered.

To refresh the list:

Click Refresh to manually refresh this page with updated tunnel information.

Note - This page is available from the VPN and Logs & Monitoring tabs.

Site to Site Advanced

In the VPN > Site to Site Advanced page you can configure global advanced options that define how the appliance connects to remote sites.

The configuration options on this page answer these configuration questions:

Configuring a Local Encryption Domain

In domain based VPN, traffic is encrypted when it originates in one encryption domain and is transmitted to a different domain.

The local encryption domain defines:

By default, the local encryption domain is determined automatically by the appliance. Networks behind LAN interfaces and trusted wireless networks are part of the local encryption domain. Optionally, you can manually create a local encryption domain if necessary.

To manually configure a local encryption domain:

  1. Click the automatically according to topology link.
  2. Select Define local network topology manually.
  3. Click Select to show the full list of available networks and select the applicable checkboxes.
  4. Click New if the existing list does not contain the necessary networks required. For information on how to create a new network object, see the Users & Objects > Network Objects page.
  5. Click Apply.

    The Site to Site Local Encryption Domain window opens and shows the services you selected.

Configuring the Appliance's Interfaces

Link Selection is a method used to:

In addition, with the Link Selection mechanisms, the administrator can select which source IP addresses are used for VPN traffic.

The default configuration to select an outgoing interface and source IP address is for the device to determine them automatically. Alternatively, you can change the default settings and select other means to determine:

To configure the appliance’s outgoing interfaces and source IP address for VPN:

  1. In the Link Selection > Outgoing interface selection section, select a method to specify the outgoing interface:
    • According to the routing table – The OS’s routing table finds the interface link with the lowest metric (highest priority) through which to send traffic based on the remote site’s IP addresses.
    • Route based probing – This method also consults the routing table for the link with the lowest metric. But, before choosing an interface link to send traffic, all routing possibilities are examined. This is to make sure that the link is active. The gateway selects the best match (highest prefix length) active route with the lowest metric (highest priority). This method is recommended when there is more than one external interface.
  2. In the Source IP address selection section, select an option to configure the source IP address used by the Security Gateway, when it initiates or responds to VPN traffic. This IP address is normally used by the remote sites to connect to this Security Gateway:
    • Automatically chosen according to outgoing interface.
    • Manually configured – Enter an IP address that is always used as the source IP address of a VPN tunnel.

Tunnel Health Monitoring

Dead Peer Detection (DPD) is an additional keepalive mechanism supported by the Check Point Security Gateway to test if VPN tunnels are active. DPD uses IPsec traffic to minimize the number of messages required to confirm the availability of a peer and requires an IPsec established tunnel. The DPD mechanism is based on IKE encryption keys only.

The feature also allows you to monitor permanent tunnels based on DPD for both IKEv1 and IKEv2.

In active mode, a peer that is configured as DPD receives DPD Hello requests at regular intervals if there is no incoming IPSec traffic for 10 seconds.

To test if a VPN tunnel is active:

Select a Tunnel health monitoring method

In DPD responder mode, the Check Point gateway sends the IKEv1 Vendor ID to peers from which the DPD Vendor ID was received and answers incoming DPD packets.

To enable DPD responder mode:

Click the checkbox.

Certificates - Trusted CAs

In the VPN > Certificates Trusted CAs page you can add CAs used by remote sites' certificates to enable a VPN or WebUI certificate. A certificate shown by the remote site must be signed by a CA that is trusted by the appliance. Trusted CAs include both intermediate and root CAs.

This page also shows the built in Internal CA that by default creates the certificates for this appliance. It can also be used to sign remote sites' certificates. You can also export the internal CA to add it to a remote site's trusted CA list.

When Cloud Services is turned on and the appliance is configured by a Cloud Services Provider, the CA of the Cloud Services Provider is downloaded automatically to the appliance. The Cloud Services Provider CA is used by community members configured by Cloud Services. Note that if you turn Cloud Services off, the Cloud Services Provider CA is removed.

Recommended configurations

When you use certificate based site to site VPN with only one remote site, we recommend you export each site's Internal CA and add it to the other site's Trusted CA list.

When you use certificate based site to site VPN with multiple remote sites, in a mesh configuration, we recommend for all sites to use one CA to sign their internally used certificates on appliances that support creating signing requests. You must also add the same CA to all sites' Trusted CAs list. That CA can be an external CA service like Verisign (for a fee) or simply use this appliance's Internal CA. See below how to use it to sign external requests.

To add a trusted CA:

  1. Click Add.
  2. Click Browse to upload a CA's identifier file (a .CRT file).
  3. A CA name is suggested, but you can enter another name if preferred. Click Preview CA details to see further information from the .CRT file.
  4. Click Apply. The CA is added to the Trusted CA list.

To edit a trusted CA's configuration:

  1. Select the CA from the list.
  2. Click Edit. The Edit window opens.
  3. Select the necessary options regarding CRL (Certificate Revocation List):
    • Retrieve CRL from HTTP Server(s) - HTTP can be used to access the CA for CRL retrieval. When cleared, this appliance does not attempt to validate the remote site's certificate's CRL.
    • Cache CRL on the Security Gateway - Select how often is a new updated CRL is retrieved.
      • Fetch new CRL when expires - Upon expiration of the CRL.
      • Fetch new CRL every X hours - Regardless of CRL expiration.
  4. Click Details to see full CA details.
  5. Click Apply.

To delete a trusted CA:

  1. Select the trusted CA from the list and click Delete.
  2. Click OK in the confirmation message.

To export the Internal CA (or other previously imported CAs):

  1. Select the Internal CA in the table.
  2. Click Export. The Internal CA's identifier file is downloaded through your browser and is available to be imported to the remote site's trusted CA list.
  3. You can also export other trusted CAs you've added to the list if necessary by selecting them and clicking Export.

To sign a remote site's certificate request by the Internal CA:

  1. Click Sign a Request. A file upload window opens.
  2. Click Browse to upload the signing request file as created in the remote site. In third party appliances, make sure to look in its Administration Guide to see where signing requests are created.

    The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.

  3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.

Certificates - Installed Certificates

On the Installed Certificates page, you can create and manage appliance certificates or upload a P12 certificate. Uploaded certificates and the default certificates are displayed in a table. To see certificate details, click the certificate name.

You can upload a certificate signed by an intermediate CA or root CA. All intermediate and root CAs found in the P12 file are automatically uploaded to the trusted CAs list.

Note - This page is available from the Device and VPN tabs.

On the VPN Remote Access Blade Control page, after you enable the SSL VPN feature, you can select and assign a certificate from the list of the installed certificates (with the exception of the Default Web Portal certificate). You can also do this on the Remote Access Advanced tab.

On the Device > Device Details page, you can select and assign a Web portal certificate from the list of installed certificates (with the exception of the Default certificate).

Installed certificates are used in site-to-site VPN, SSL VPN, and the Web portal.

When Cloud Services is turned on and the appliance is configured by Cloud Services, the Cloud Services Provider certificate is downloaded automatically to the appliance. The Cloud Services Provider certificate is used by community members configured by Cloud Services. Note - If you turn Cloud Services off, the Cloud Services Provider certificate is removed.

These are the steps to create a signed certificate:

  1. Create a signing request.
  2. Export the signed request (download the signing request from the appliance).
  3. Send the signing request to the CA.
  4. When you receive the signed certificate from the CA, upload it to the appliance.

To create a new certificate to be signed by a CA:

  1. Click New Signing Request. The New Certificate Request window opens.
  2. Enter a Certificate name.
  3. In the Subject DN enter a distinguished name (e.g. CN=myGateway).
  4. Optional - to add alternate names for the certificate, click New. Select the Type and enter the Alternate name and click Apply.
  5. Click Generate.

    The new signing request is added to the table and the status shows "Waiting for signed certificate".

    Note - You cannot edit the request after it is created.

    If the new signing request is signed by the Internal CA and the Organization Name is not defined in the DN, the Internal CA automatically generates the Organization Name.

To export the signing request:

Click Export.

To upload the signed certificate when you receive the signed certificate from the CA:

  1. Select the signing request entry from the table.
  2. Click Upload Signed Certificate.
  3. Browse to the signed certificate file (*.crt).
  4. Click Complete.

    The status of the installed certificate record changes from "Waiting for signed certificate" to "Verified".

To upload a P12 file:

  1. Click Upload P12 Certificate.
  2. Browse to the file.
  3. Edit the Certificate name if necessary.
  4. Enter the certificate password.
  5. Click Apply.

Certificates - Internal Certificates

In the Certificates Internal Certificate page you can view details of an internal VPN certificate. You can also view and reinitialize the certificate used by the internal CA that signed the certificate and can be used to sign external certificates.

Note - This page is available from the Device and VPN tabs.

When you create an internal VPN certificate, when a certificate that is signed by the internal CA is used, the CA's certificate must be reinitialized when the Internet connection's IP addresses change.

To avoid constant reinitialization, we recommend you use the DDNS feature. See Device > DDNS. When DDNS is configured, you only need to reinitialize the certificate once. Changes in the DDNS feature configuration by default automatically reinitialize certificates.

To reinitialize certificates:

  1. Click Reinitialize Certificates.

    The Reinitialize Certificates window opens.

  2. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  3. Select the number of years for which the Internal VPN Certificate is valid. The default is 3. The maximum value allowed is 20.
  4. Click Apply.

    Note - The internal VPN certificate expiration date cannot be later than the CA expiration date.

To replace an internal CA certificate:

  1. Click Replace Internal CA Certificate.

    The Upload a P12 Certificate window opens.

  2. Click Browse to select the CA certificate file that includes the private key.
  3. Enter the Certificate name and private key's password to allow the device to sign certificates with the uploaded CA.
  4. Enter the Host/IP address.

    Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.

  5. Click Apply.

To export an internal CA certificate:

Click Export Internal CA Certificate to download the internal CA certificate.

To sign a remote site's certificate request by the internal CA:

  1. Click Sign a Request. A file upload window opens.
  2. Click Browse to upload the signing request file as created in the remote site. In third party appliances, make sure to look in its Administration Guide to see where signing requests are created.

    The file must be in a path accessible to the appliance. After you click OK in the file browsing window, the file is uploaded. If it is correctly formatted, it is signed by the Internal CA and the Download button is available.

  3. Click Download. The signed certificate is downloaded through your browser and is available to be imported to the remote site's certificates list.