Configuration and Upgrade Scenarios

In This Section: Configuring Cloud Services Configuring a Guest Network Configuring VPN Configuring QoS Managing Clusters Enabling VoIP Traffic

This chapter contains workflows for common configuration and upgrade scenarios.

Configuring Cloud Services

Introduction

Cloud Services lets you connect your Check Point Appliance to a Cloud Services Provider that uses a Web-based application to manage, configure, and monitor the appliance.

Prerequisites

Before you connect to Cloud Services, make sure you have:

• Received an email from your Cloud Services Provider that contains an activation link. When you click the link, your Check Point Appliance automatically connects to Cloud Services.

  Or

• The Service Center IP address, the Check Point Appliance gateway ID, and the registration key. Use these details to manually connect your Check Point Appliance to Cloud Services.

To automatically connect to Cloud Services:

1. Make sure the Check Point Appliance was configured with the First Time Configuration Wizard. See the Check Point Appliance Getting Started Guide.
2. In the email that the Security Gateway owner gets from the Cloud Services Provider, click the activation link.

   After you log in, a window opens and shows the activation details sent in the email.

3. Make sure the details are correct and click Connect.

   For more details, see Configuring Cloud Services.

To manually connect to Cloud Services:

1. In the WebUI, go to the Home > Cloud Services page.
2. Follow the Connect to Cloud Services procedure in Configuring Cloud Services.

Configuring a Guest Network

In some situations, you need to allow guest access to the Internet from within your organization. At the same time, you may want to restrict access to internal network resources. When you configure a guest network with a Hotspot, you can control network access. If you set user authentication options, you can then monitor the users that connect to the network.

Prerequisites

• You must have a wireless network enabled on your appliance. The guest network is actually a Virtual Access Point (VAP).
• You must define the network interfaces that redirect users to the Hotspot portal when they browse from those interfaces.

Configuration

1. Go to Device > Wireless Network.
2. Click Guest and follow the wizard instructions. See Configuring the Wireless Network.
   • Make sure that the Use Hotspot checkbox is selected in the wizard.
   • Set the network protection (unprotected or protected network).
   • Set the access and log policy options in the Access Policy tab.
3. Make sure you defined the network interfaces for Hotspot. See Configuring the Local Network.
4. Configure the Hotspot - Go to Device > Hotspot and set the options. See Configuring a Hotspot.
5. If necessary, you can limit access to the Hotspot for specified user groups in the Access section.

Monitoring

Connect to the network and open a browser session. You see the customized Hotspot portal.

Note - You are shown the Hotspot portal one time in the given timeout period. The default timeout period is 4 hours.

User activity on this network is logged with user names if the Log traffic option was selected.

Configuring VPN

This section describes how to configure these VPN configuration scenarios:

• Remote access VPN
• Site to site VPN using a preshared secret
• Site to site VPN using a certificate

Note - VPN does not work with pure IPv6, only with dual stack.

Configuring Remote Access VPN

Introduction

Use these options for remote access:

• Check Point VPN clients
• Check Point Mobile clients
• Check Point SSL VPN
• L2TP VPN client

Prerequisites

• In VPN > Blade Control, make sure:
  • Remote Access control is set to On and the Allow traffic from Remote Access users (by default) option is selected.
  • Select the applicable connection methods.
  • For more details, see Configuring the Remote Access Blade.
• If the gateway uses a dynamic IP address, we recommend you use the DDNS feature. See Configuring DDNS and Access Services.
• For the Check Point VPN client or Mobile client method, make sure that the applicable client is installed on the hosts. Click How to connect for more information.

Remote Access Configuration

These are the methods to configure remote access users:

• Local users
• RADIUS users
• AD users

To allow only specified users to connect with a remote access client, set group permissions for the applicable user type. Select the arrow next to the Add option and select the relevant group option. See Configuring Remote Access Users.

To configure local users:

For new users:

1. Go to VPN > Remote Access Users.
2. Click Add to add local users.
3. Make sure that the Remote Access permissions checkbox is selected.

For more information, see Configuring Remote Access Users.

For existing users:

1. Go to VPN > Remote Access Users.
2. Click Edit to make sure that the Remote Access permissions checkbox is selected.

For more information, see Configuring Remote Access Users.

To configure RADIUS users:

1. Go to VPN > Authentication Servers.
2. Click Configure to add a RADIUS server. See Configuring Remote Access Authentication Servers.
3. Click permissions for RADIUS users to set access permissions.

To configure AD users:

1. Go to VPN > Authentication Servers and click New to add an AD domain. See Configuring Remote Access Authentication Servers.
2. Click permissions for Active Directory users to set access permissions.

L2TP VPN Client configuration

For L2TP VPN Client configuration, click L2TP Pre-shared key to enter the key after you enable the L2TP VPN client method.

Advanced Options

For more information on advanced Remote Access options, for example Office Mode network, see Configuring Advanced Remote Access Options.

Monitoring

To make sure Remote Access is working:

Use the configured client to connect to an internal resource from a remote host.

Configuring Site to Site VPN with a Preshared Secret

Introduction

In this Site to Site VPN configuration method a preshared secret is used for authentication.

Prerequisites

• Make sure the Site to Site VPN blade is set to On and Allow traffic from remote sites (by default) is selected. See Configuring the Site to Site VPN Blade.
• The peer device that you connect to must be configured and connected to the network. If it is a DAIP gateway, its host name must be resolvable.

Configuration

Enter a host name or IP address and enter the preshared secret information. For more information, see Configuring VPN Sites.

Monitoring

To make sure the VPN is working:

1. Send traffic between the local and peer gateway.
2. Go to VPN > VPN Tunnels to monitor the tunnel status. See Viewing VPN Tunnels.

Configuring Site to Site VPN with a Certificate

Introduction

In this Site to Site VPN configuration method a certificate is used for authentication.

Prerequisites

• Make sure the Site to Site VPN blade is set to On and Allow traffic from remote sites (by default) is selected. See Configuring the Site to Site VPN Blade.
• The peer device that you connect to must be configured and connected to the network. If it is a DAIP gateway, its host name must be resolvable.
• You must reinitialize certificates with your IP address or resolvable host name. Make sure the certificate is trusted on both sides.
• VPN encryption settings must be the same on both sides (the local gateway and the peer gateway). This is especially important when you use the Custom encryption option.

Configuration

1. Reinitialize certificates - Use the Reinitialize certificates option described in Managing Internal Certificates. Make sure this is done on both the local and peer gateway (if they both use locally managed Check Point appliances).
2. Trust CAs on the local and peer gateways - Use one of these procedures:
   • Exchange CAs between gateways.
   • Sign a request using one of the gateway's CAs.
   • Authenticate by using a 3rd party CA.
   • Authenticate with an existing 3rd party certificate.

   Follow the steps for the applicable procedure listed in the Trust Procedures section below.

3. Use certificate authentication to create the VPN site.
   1. Follow the instructions in Configuring VPN Sites.
   2. To make sure the specified certificate is used, enter the peer gateway's certificate information in Advanced > Certificate Matching.

Trust Procedures

Exchange CAs between gateways:

Click Add to add the Trusted CA of the peer gateway. This makes sure the CA is uploaded on both the local and peer gateways. See Managing Trusted CAs.

Sign a request using one of the gateway's CAs:

You create a request from one gateway that must be signed by the peer gateway's CA.

1. Use the New Signing Request option in Managing Installed Certificates.
2. Export this request using the Export option.
3. Use the peer gateway's internal CA to sign the request on the peer gateway.
   If the peer gateway is a locally managed Check Point gateway, go to VPN > Trusted CAs and use the Sign a Request option. For more information, see Managing Trusted CAs.
4. Upload the signed request to the local gateway.
   1. Go to VPN > Installed Certificates.
   2. Select the installed certificate that you asked the remote peer to sign.
   3. Upload the certificate with the Upload Signed Certificate option. See Managing Installed Certificates.
5. Make sure that the CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.

Authenticate by using a 3rd party CA:

You create a signing request from each peer gateway. Follow the steps above in Sign a request using one of the gateway's CAs to sign it with a 3rd party CA.
Note that a 3rd party CA can either issue *.crt, *.p12, or *.pfx certificate files.

1. Upload the certificate using the appropriate upload option.
   1. Go to VPN > Installed Certificates.
   2. Select the installed certificate that you asked the remote peer to sign.
   3. Upload the certificate with the Upload Signed Certificate or Upload P12 Certificate option. See Managing Installed Certificates.
2. Make sure that the 3rd party CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.

Authenticate with an existing 3rd party certificate:

1. Create a P12 certificate for the local and peer gateway.
2. Upload the P12 certificate using the Upload P12 Certificate option on each gateway.
3. Make sure that the 3rd party CA is installed on both of the gateways. Use the Add option in Managing Trusted CAs.

Monitoring

To make sure the VPN is working:

1. Pass traffic between the local and peer gateway.
2. Go to VPN > VPN Tunnels to monitor the tunnel status. See Viewing VPN Tunnels.

Configuring QoS

Introduction

The QoS (bandwidth control) policy is a set of rules that lets you set bandwidth parameters that control the flow of traffic to and from your network. They make sure that important traffic is prioritized and your business has minimal disruption when there is network congestion.

QoS can be activated on Internet connections and requires at least one Internet connection is configured with the maximum download and/or upload speeds. You get the speed information from your ISP.

QoS policy rules apply separately on each configured Internet connection.

Prerequisites

In Access Policy > QoS > Blade Control, make sure the QoS blade is turned on.

Configuration

1. In Device > Internet, select an Internet connection and click Edit.
2. In the Advanced tab, edit the QoS Settings.

   These values are used as a 100% percent baseline when you calculate QoS weight. For more details, see Configuring Internet Connectivity.

3. You can use these options:
   • A default QoS policy that requires defining only a number of parameters. See Configuring the QoS Blade.
   • Define manual rules for further granularity if necessary in Access Policy > QoS > Policy. See Working with the QoS Policy.

Managing Clusters

Configuring a Cluster

Introduction

Configure a cluster to maintain connections in the organization's network when there is a failure in a cluster member. The cluster provides redundancy.

Cluster High Availability is supported. In High Availability, only one gateway is active at a time. When there is a failover, the standby member becomes active. There is no load sharing between the members of the cluster.

All cluster configuration is done through the active member.

Note - Bridge and switch configurations are not supported in cluster configuration.

Configuration workflow:

1. Complete the First Time Configuration Wizard on both appliances. In the Local Network page of the wizard, clear the Enable switch on LAN ports checkbox.
2. Configure network settings on the appliance that is the primary (active) member.
3. Connect a sync cable between the appliances.
4. Configure the active member.
5. Configure the standby member.

Prerequisites

• In WebUI > Device > Local Network, delete bridge and switch configurations before you start to configure a cluster.
• The appliances in a cluster must have the same hardware, firmware, and licenses.

  Note - Connect the sync cable only after you complete the First Time Configuration Wizard and remove the switch on both appliances. No additional configuration is required on both members.

Best Practice - Designate the same LAN port for the Sync interface. The default Sync interface is LAN2/SYNC.

For the primary (active) cluster member:

1. Connect to the appliance that is the primary cluster member.
2. In the WebUI, go to Device > High Availability and click Configure Cluster.
3. Follow the wizard steps and configure the appliance as a primary member. For more information, see Configuring High Availability.

For the secondary (standby) cluster member:

1. Connect to the appliance that is the secondary cluster member.
2. Go to Device > High Availability and click Configure Cluster.
3. Follow the wizard steps and configure the appliance as a secondary member. For more information, see Configuring High Availability.

Complete other configuration requirements such as access policy, VPN, and Threat Prevention parameters. The primary and secondary members now synchronize their configuration.

Monitoring the Cluster

Best Practice - After the cluster is successfully configured, connect to https://my.firewall. This redirects you to the WebUI Home > System page for the active cluster member.

To log in to each appliance:

Go to https://<IP>:4434. <IP> is the IP address of a specified member.

Note - Not all options are available as all cluster configuration is done through the active member. The WebUI of the standby cluster member only has one tab: Device.

To show the status of the cluster member:

Go to Device > High Availability.

Upgrading a Cluster

When you upgrade a cluster member, you can maintain network connectivity during an upgrade. One member of the cluster remains active while the other cluster member is upgraded. The system is always active and there is no downtime during the upgrade process.

In a High Availability cluster, only one member is active at a time. The other appliance is standby. To upgrade a cluster, first upgrade the standby appliance and then upgrade the active member.

Upgrade workflow:

1. Upgrade the standby member in the WebUI Device > System Operations page.

   The standby member automatically reboots.

2. In the active member's WebUI Device > High Availability page, wait for the status to show "Active" and "Standby."
3. Upgrade the active member.

   The active member automatically reboots.

Note - The upgrade process is the same for each cluster member. Only manual upgrade is supported.

After the reboot:

• The former active member is now the standby member.
• The former standby member is now the active member.

To manually upgrade a cluster member:

1. On the Device > System Operations page, click Manual Upgrade.

   The Upgrade Software Wizard opens.

2. Follow the Wizard instructions to upgrade the cluster member.

   The upgrade process automatically reboots the member.

To see the status of each cluster member:

Go to Device > High Availability.

Enabling VoIP Traffic

Introduction

Follow these configuration procedures to allow SIP traffic to pass through the gateway when:

• The server is located on external networks.
• The gateway's NAT configuration is set to its default settings (with internal networks hidden behind its external IP address).

Configuration

To allow application-level inspection and NAT of the SIP protocol:

1. Go to Users & Objects > Services.
2. Edit the SIP_UDP and SIP_TCP built in services by enabling SIP inspection on both services - Clear the Disable inspection for this service checkbox in each service object. For more details, see Viewing System Information.

To allow the SIP server to connect to internal phones from the Internet:

1. Go to Access Policy > Policy.
2. Add a rule to the Incoming, Internal and VPN traffic Rule Base that allows SIP traffic.

   For example:

   Source - Any

   Destination - Any

   Service - SIP

   Action - Accept

   For more information, see Working with the Firewall Access Policy.

3. If you know the IP address of the SIP server, you can use it as the source of this rule.
4. Optional - Configure a log for this rule.