VPN with a Virtual Gateway in a Cloud

This section describes Site to Site VPN An encrypted tunnel between two or more Security Gateways. Synonym: Site-to-Site VPN. Contractions: S2S VPN, S-to-S VPN. Tunnel between an on-premises VPN Gateway and a Virtual Gateway in a Cloud.

You can configure a Site to Site VPN tunnel between an on-premises Check Point Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and a Virtual Gateway in a Virtual Private Cloud.

R82 supports this feature only for:

Amazon Web Services (AWS)
Microsoft Azure

Configuration Flow for Site to Site VPN Tunnels with a Cloud

An Administrator configures the required settings in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. - configures a new Site to Site VPN Tunnel, or deletes an existing Site to Site VPN Tunnel.
An Administrator installs the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. on the on-premises VPN Gateway / VPN Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. automatically.
In addition to the Security Policy, the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. creates the required one-time configuration instructions (VTI, Dynamic Routing) for the on-premises VPN Gateway / VPN Cluster Members.
The Management Server sends the Security Policy and the one-time configuration instructions to the on-premises VPN Gateway / VPN Cluster Members
The on-premises VPN Gateway / VPN Cluster Members install the Security Policy.
The on-premises VPN Gateway / VPN Cluster Members run the one-time configuration instructions (VTI, Dynamic Routing).
The Management Server deletes these one-time configuration instructions (VTI, Dynamic Routing) from its database.

Prerequisites for Site to Site VPN Tunnels with a Cloud

Publish the SmartConsole session.
Install the applicable Security Policies on the on-premises VPN Gateway / VPN Cluster, for which you plan to configure (or remove) the Site to Site VPN Tunnel with a Virtual Gateway in a Cloud.

Limitations of Site to Site VPN Tunnels with a Cloud

This configuration is not supported in the Global Domain on a Multi-Domain Server Dedicated Check Point server that runs Check Point software to host virtual Security Management Servers called Domain Management Servers. Synonym: Multi-Domain Security Management Server. Acronym: MDS..
When you configure a new Site to Site VPN Tunnel or delete an existing Site to Site VPN Tunnel, do not change the configuration of the VPN Tunnel An encrypted connection between two hosts using standard protocols (such as L2TP) to encrypt traffic going in and decrypt it coming out, creating an encapsulated network through which data can be safely shared as though on a physical private line. Interfaces (VTIs) on the on-premises VPN Gateway / VPN Cluster until the Management Server finishes the policy installation.

When you configure a new Site to Site VPN Tunnel or delete an existing Site to Site VPN Tunnel, do not change the configuration of the VPN Tunnel Interfaces (VTIs) on the on-premises VPN Gateway / VPN Cluster until the Management Server finishes the policy installation.

On-premises Security Gateways with a Dynamically Assigned IP Address (DAIP) do not support this configuration.

Important Notes for Site to Site VPN Tunnels with a Cloud

When you configure a new Site to Site VPN Tunnel or delete an existing one, you must not configure other settings or objects that the procedures below do not mention explicitly.

If you must make other configuration changes, you must do them before or after the procedures below.
If the configuration of a new Site to Site VPN Tunnel does not work, then delete the current configuration, install the Security Policy, and configure the required settings again.
If it is necessary to change the configuration of an existing Site to Site VPN Tunnel (for example, select a different Virtual Gateway in the cloud), then delete the current configuration, install the Security Policy, and configure the required settings.

If it is necessary to revert to a Database Revision on the Management Server, you must make sure the Site to Site VPN Tunnel configuration in that Database Revision matches the Site to Site VPN Tunnel configuration on the on-premises VPN Gateway / VPN Cluster Members.

For information about Database Revision, see the R82 Security Management Administration Guide > Chapter "Preferences and Management Settings" > Section "Database Revisions".

You must follow the applicable scenario:

Important - If you do the revert procedure incorrectly or it fails, the Site to Site VPN Tunnel configuration on Security Gateway and Management Server does not match anymore. Contact Check Point Support and refer to sk179691.

Scenario 1 - Revert to the initial state without the Site to Site VPN Tunnel configuration

Scenario	State of Cloud VPN Configuration	How to Revert Completely to a Database Revision
Created a Database Revision on the Management Server without the Site to Site VPN Tunnel configuration. Configured the required settings in SmartConsole for a new Site to Site VPN Tunnel. Installed policy on the on-premises VPN Gateway / VPN Cluster. Reverted to the Database Revision on the Management Server.	Management Server: Cloud VPN configuration does not exist "yet" (as if you did not configure anything). VPN Gateway / VPN Cluster Members: Cloud VPN configuration exists (because revert occurs only on the Management Server).	Do one of these to remove the Site to Site VPN tunnel configuration: Remove the on-premises VPN Gateway / VPN Cluster object from the VPN Community A named collection of VPN domains, each protected by a VPN gateway.. Remove the Virtual Gateway object from the VPN Community. Install policy on the on-premises VPN Gateway / VPN Cluster.

Scenario 2 - Revert to the state with the Site to Site VPN Tunnel configuration

Scenario	State of Cloud VPN Configuration	How to Revert Completely to a Database Revision
Created a Database Revision on the Management Server that contains an existing Site to Site VPN Tunnel configuration. Removed an existing Site to Site VPN Tunnel configuration. Installed policy on the on-premises VPN Gateway / VPN Cluster. Reverted to the Database Revision on the Management Server.	Management Server: Cloud VPN configuration exists again. VPN Gateway / VPN Cluster Members: Cloud VPN configuration does not exist anymore.	Do one of these to restore the Site to Site VPN tunnel configuration: Add the on-premises VPN Gateway / VPN Cluster object to the VPN Community. Add the Virtual Gateway object to the VPN Community. Install policy on the VPN Gateway / VPN Cluster.

Configuring a New Site to Site VPN Tunnel with a Cloud

Step 2 - Configure the on-premises Check Point Security Gateway

Connect with SmartConsole to the Check Point Management Server that manages the on-premises Check Point Security Gateway.
From the left navigation panel, click Gateways & Servers.
Create and configure the Security Gateway object, if you did not do so yet.

See the R82 Security Management Administration Guide. > Chapter Managing Gateways > Section Creating a New Security Gateway.
Create a new Data Center object for your cloud provider.

If you already have a Data Center object configured, open it, and run a test on its connection to the cloud.

See the R82 CloudGuard Controller Administration Guide > Chapter Supported Data Centers.
Import the applicable Virtual Gateways (VGW):
1. In the top right corner, click the Objects pane > Data Centers.
2. Right-click the applicable Data Center object.
3. Click Import.
4. Select and add the applicable Virtual Gateway (VGW) objects.
5. Close the Data Center window.
Add these objects to the applicable VPN Community (seeGetting Started with Site to Site VPN):
- The on-premises Check Point Security Gateway
- The imported Virtual Gateways (VGW)

Click OK.

Important - It is not necessary to configure the VPN Community settings. The Virtual Gateway (VGW) controls the VPN Community settings for this Site to Site VPN tunnel.

Configure the applicable Access Control rules.

See R82 Security Management Administration Guide > Chapter Creating an Access Control Policy.
Publish the SmartConsole session.
Install the Access Control Policy on the Check Point Security Gateway.

Removing an Existing Site to Site VPN Tunnels with a Cloud

In SmartConsole, delete the applicable configuration from the Virtual Gateway or the on-premises Check Point Security Gateway.
Publish the SmartConsole session.
Install the Access Control Policy on the Check Point Security Gateway.

Monitoring Site to Site VPN with Cloud

Starting from R82, use automated synchronization for your cloud and on-premises environments with Check Point's advanced self-healing solution. Through continuous monitoring, it autonomously detects changes and seamlessly applies them, which provides optimal functionality for your Site to Site VPN tunnels.

When changes are applied to encryption settings within the cloud environment (such as AWS, Azure, and Google Workspace), they seamlessly synchronize with the corresponding configurations on the on-premises infrastructure. For these adjustments to become operational, the on-premises administrator is required to install the relevant policies. An informative notification is displayed in the SmartConsole interface, alerting the administrator to this requirement. In addition, these alterations are duly documented in the system logs for reference and auditing purposes.
Changes to BGP (Border Gateway Protocol) and routing configurations enacted in the cloud environment are automatically propagated to the corresponding setups on the on-premises infrastructure. However, the implementation of these changes is contingent upon the installation of the requisite policies. Administrators are immediately notified of this requirement through popup messages. Furthermore, comprehensive logging mechanisms document these adjustments for traceability and analysis purposes.
When a Site to Site VPN tunnel is deleted in the cloud infrastructure, the corresponding tunnel on the on-premises side is automatically removed, subject to pending policy installation. Administrators are immediately alerted to this event through a pop-up notifications and comprehensive logging records are generated. Similarly, should the Site to Site VPN tunnel be re-established within the cloud environment, the corresponding tunnel on the on-premises infrastructure is automatically reinstated. This is provided that both the cloud VPN peer and the on-premises Security Gateway remain within the same VPN Community.