Configuring Global VPN Communities

This is the workflow for Creating a Global VPN Community.

To create a Global VPN Community:

  1. Configure a VPN Domain on each participating Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

  2. Enable each participating Security Gateway for global use.

  3. In the Global Domain, define a VPN Community, and add the Global Security Gateway objects to the Global VPN Community. The Global Security Gateway objects represent the participating Domain Security Gateways.

  4. Define a Security PolicyClosed Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. - You can create a Global policy and assign it to the Local Domains, or you can create the Security Policy rules only in the Local Domains.

  5. Assign the Global configuration to the applicable Domains. After assignment, you must also install the policy on the participating Security Gateways.

Step 1 - Configuring a VPN Domain on each Security Gateway

You define the Domain Security Gateways in the Domain SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

To define a VPN Domain on a Security Gateway:

In the Security Gateway editor:

  1. In General Properties, enable IPSec VPN.

  2. In Network Management > VPN Domain, configure the settings for the VPN Domain. You must define a VPN Domain and specify if the VPN Domain is based on the network topology or a specific IP address range.

For information on configuration of a VPN Domain, see the R81 Site to Site VPN Administration Guide

Multi-Domain ServerClosed Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS. holds these IP address ranges used by the Security Gateways. During the assignment of the Global configuration, the Multi-Domain Server transfers this information to all the Domains with participating Security Gateways in the Global VPN Community.

Step 2 - Enabling Gateways for Global Use

Repeat this step for all Security Gateways that are to participate in the Global VPN Community:

In the Multi-Domain Server SmartConsole > Gateways & Servers view, right-click a Security Gateway and select Enable Global Use.

A global Security Gateway object and a VPN Domain object are created for the Security Gateway in the Global Domain. Different Domains can coincidentally contain Security Gateways with the same name. Because each global Security Gateway object must have its own unique Global Name, the Global Names Template automatically assigns a unique name for each global Security Gateway.

The default global name format is:

<Name of Security Gateway>_of_<Name of Domain>.

For example:

  • Security Gateway name = MyGateway

  • Domain name = MyDomain

  • Global name = MyGateway_of_MyDomain

Note - When the local Domain that holds the gateway to be used globally has the active server on a standby Multi-Domain Server, you cannot use the gateway globally.

Enabling clusters for global use

You can enable a clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. for global use in the same way that you enable a Security Gateway. A global cluster object and a VPN Domain object will be created for the cluster in the Global Domain.

Step 3 - Creating the VPN Global Community

After you enabled VPN on the Security Gateways, and enabled the Security Gateways for global use, you can create the Global VPN Community.

To create a Global VPN Community:

  1. In the Global Domain, go to Security Policies > Access Control > Access Tools > VPN Communities > New.

  2. Add the global Security Gateway objects, defined in step 1, as participating Security Gateways in the community.

To learn more about VPN communities, see the R81 Site to Site VPN Administration Guide.

Step 4 - Defining a Security Policy

The configuration of Security Gateways into a Global VPN Community does not automatically let the Security Gateways access each other. For the Security Gateways to communicate with each other you must define an Access Control Security Policy.

You can define the Access Control Security Policy in the Global Domain or in the Local Domains or both.

To define a Global Security Policy, see Global Management. To learn more about the Access Control Security Policy Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., see the R81 Security Management Administration Guide.

Step 5 - Assigning the Global Configuration to the Local Domains

After you create the Global VPN Community, and in some case, also the Global PolicyClosed On a Multi-Domain Security Management Server, a policy defined in the Global Domain. You can assigns this Global Policy to Domains., you must assign the Global configuration to the Local Domains. After assignment, install policy on the Local Domains.

To assign the global configuration to the Local Domains:

  1. Make sure you published all the changes made in the Global Domain.

  2. In the Multi-Domain Server SmartConsole > Multi-Domain view > Global Assignments, assign the Global objects to the Local Domains (see Global Assignments)

  3. Install policy on the Security Gateways.

Note - All Security Gateways which participate in the Global VPN Community must use a Simplified VPN Policy.

For each Domain with Security Gateways in the Global VPN Community, a global CA Server object is created in the Global Domain. During the assignment process, the Multi-Domain Server automatically exports relevant Domain ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. information (such as the CA certificate) to all the Domain Management ServersClosed Virtual Security Management Server that manages Security Gateways for one Domain, as part of a Multi-Domain Security Management environment. Acronym: DMS. with Security Gateways that participate in the community. This way, all the Security Gateways in the community can trust the others' ICAs.

After the assignment, the Global VPN Community object shows in each Domain with Security Gateways in the community. If you assign a Global Policy to a Domain that has no Security Gateways in the community, this Domain does not show the community object and the community Security Gateway objects.

Reassigning the Global Configuration to One or More Local Domains

If you make changes to the global configuration, reassign the configuration to the Domains.

To reassign the Global configuration to the Local Domains:

  1. In the Multi-Domain Server SmartConsole > Multi-Domain view > Global Assignments, select the Domains that have Security Gateways which participate in the Global VPN Community and click reassign.

  2. In the Reassign window, select Install policy on successful assignment. This installs the Global Policy on the Security Gateways which participate in the Global VPN Community.

    Note - This operation assigns the Policy to all selected Domains, and then installs the Policy on all Domain Security Gateways, in one step. It does not let you select specific Security Gateways on which to install the Policy. The selected Policy is installed on all Security Gateways in the selected Domains. Assigning the Policy to many Domains and all their Security Gateways can take some time. Use this option with caution.