Check Point-Silver Peak Integration Guide

Network Security as a Service

Check Point-Silver Peak Integration Guide

About This Guide

This guide explains how to set up GRE tunnels and service chain traffic from a Silver Peak EdgeConnect appliance to the Check Point Network Security as a Service (NSaaS).

It consists of 4 steps:

  1. Create a Site at Check Point's Infinity Portal
  2. Add the Check Point Tunnels to the Silver Peak Business Intent Overlay Policy
  3. Monitor end-to-end traffic with the Silver Peak Monitoring Flows
  4. Monitor cybersecurity events at the Check Point Infinity Portal

About Check Point Network Security as a Service

Check Point's Network Security as a Service is a cloud security platform that provides Check Point's latest Threat Prevention and Access Control for branch offices. Customers can connect their existing routing equipment or SD-WAN device to Network Security as a Service without additional dedicated hardware by Check Point.

Network Security as a Service is a full software-as-a-service solution, eliminating the need for maintenance by the customer.

Check Point's security product line includes: Preventing known attacks using reputation services, signatures and bot communication prevention, preventing unknown attacks using cloud-based sandboxing, an Access Control policy including Content Awareness, HTTPS Inspection and Application Control, and a web-based management for security events and log monitoring, policy and site configuration.


Figure 1: Check Point's Network Security as a Service.

About Silver Peak

Silver Peak is a leader in building SD-WAN & hybrid WANs empowering enterprises and service providers to securely connect users to applications. The EdgeConnect SD-WAN edge platform is the way to confidently embrace broadband, connect users directly from branch offices to cloud applications, giving every application the resources it truly needs, while delivering 10x the bandwidth for the same budget.

EdgeConnect physical, virtual or cloud appliances support industry standard hypervisors and are purchased via subscription-based licensing. The platform is centrally managed with Unity Orchestrator.

Create a Site at Check Point's Infinity Portal

Protecting sites with GRE tunnels

  1. Sign in to the Check Point Infinity Portal at https://portal.checkpoint.com/signin/cloudguardnsaas


    Figure 2: Check Point Infinity Portal sign-in page.

    If you don’t have an account yet, you can register for one.

    Note: Upon registration, make sure that the “Network” sign is colored in Pink and that the text says Create your Infinity account to access Network Security as a Service, otherwise you might end up subscribing to a different security product.

    Network Security as a Service is dependent on a purchased software license. For more about licensing, contact your Check Point Sales representative, or check for updates at Check Point’s User Community.


    Figure 3: Registering a new account for Network Security as a Service. It is important to notice that the name of the application on the left side says Network Security as a Service.

  2. Once you are logged into the Check Point Infinity Portal, make sure that you are currently looking at the Network Security as a Service application.


    Figure 4: The title says Network Security as a Service.

    If the title says a name of a different application, click the application switcher icon at the top-left corner () and select Network Security as a Service.


    Figure 5: Changing between different applications at the Check Point Infinity portal to Network Security as a Service.

  3. Navigate to Sites.

    The Sites screen displays.


    Figure 6: Create a Check Point site.

  4. Select the + button to create a new site.

    A site represents your branch office that uses a SilverPeak EdgeConnect device.

    The CREATE NEW SITE screen displays.

  5. In the Site Name field, enter a name for the Site.
  6. In the Location of the cloud service field, select a location that suits your site. Check Point's Network Security as a Service inspects traffic from your branch office to the Internet with a cloud service that resides in one of these locations. So typically you would want to select the location of the cloud service with an option that is closest to the location of your site, in order to achieve the best performance. For some countries, most notably South America or the Middle East, the best choice for Location of the cloud service might be presence of a strong cross-country Internet link.
  7. In the Comments field, enter an optional description of the site.


    Figure 7: Configuring Site Details.

  8. Click Next.
  9. For the purpose of this guide we will choose GRE as Tunnel Type.
  10. In the External IP field, define the IP address of your branch office site.

    Note: this IP must be static and accessible from the Internet. You can track Check Point’s updates regarding support of other topologies at this User Community thread.


    Figure 8: Configuring Router Details.

  11. Click Next.
  12. In the Internal Subnets page, enter the IP address of your internal networks in the branch office site.

    Check Point's Network Security as a Service applies its cybersecurity features on any traffic coming from these network addresses.


    Figure 9: Configuring site internal subnets.

  13. Click Next.


    Figure 10: Confirm Site Creation step.

  14. Select Finish and Create Site.

    Check Point might take a few minutes to create the site.


    Figure 11: Site is being created.

Configure your SD-WAN router to route traffic through Check Point Network Security as a Service

  1. Select the card that represents your site.
  2. Select Menu > View Instructions.


    Figure 12: Get to Site Instructions.

  3. The instructions contain the following:

    • The IP address and destinations for each of the two GRE tunnels.
    • The failover or fail open options for the tunnels.
    • The access routes to route traffic from the internal networks, protected by Check Point's Network Security as a Service, to go through the Check Point service.

    Figure 13: Check Point sites.

Setting up Silver Peak EdgeConnect

To secure internet traffic and for direct internet breakout from the branch, Silver Peak supports internet pass-through tunnels to Check Point Network Security as a Service. You can configure EdgeConnect appliances with the following use cases.

Note: Use Silver Peak EdgeConnect version 8.1.9.0 or later and Silver Peak Orchestrator version 8.5.0 or later.

Set up a single GRE tunnel

This section describes how to set up a single GRE tunnel to send traffic to and from Check Point.

Configure a deployment profile

Use deployment profiles to standardize your deployments, configuring the LAN interfaces and WAN interfaces of your GRE tunnel.

  1. In the Orchestrator main screen, right click the EdgeConnect appliance that you want to add GRE tunnels.
  2. Select Deployment.
  3. The Deployment screen displays.
  4. In the Deployment screen, create your LAN interfaces and WAN interfaces. In this example, the deployment profile has lan0, lan1, wan0, and wan1.
  5. From the FW Mode list, select your preferred firewall mode.
  6. Set the bandwidth and next hop IP addresses.
  7. Select Apply.


    Figure 14: Logical deployment of a single GRE tunnel to Check Point.

Configure Business Intent Overlay policies

A business intent overlay (BIO) specifies how traffic with particular characteristics are handled within the network. For GRE tunnels to Check Point, this example uses an overlay called GRE with an overlay ACL of InternetTraffic that defines the web traffic. To use the GRE tunnels in a business intent overlay, complete the following steps:

To use the GRE tunnels in a business intent overlay, complete the following steps.

  1. In the Orchestrator main screen, select Business Intent Overlay. The Business Intent Overlay screen displays.
  2. From the Overlays list, choose GRE or the overlay of your choice.
  3. In the Internet Traffic section, select the pencil icon next to Policies.
  4. In the Service Name field, add a new service object representing the Check Point peer/service. Type a new name that suits the Check Point service such as Check Point Cloud.
  5. Select Add.
  6. Select Close to return to the previous screen.
  7. From the Business Intent Overlay screen, move the Check Point service to the Preferred Policy Order section.
  8. In the Preferred Policy Order section, move the Check Point service above the other policies

    Note: By moving the Check Point service to the top of the list, all internet-bound traffic passes through the Check Point GRE tunnel. If the tunnel is down, traffic backhauls via the overlay.

  9. Select Save all to apply all changes.


    Figure 15: Business Intent Overlays for internet traffic.

You configured business intent overlay policies that point to the GRE tunnel.

Apply the overlay to the appliance

For the BIO to take effect, apply the overlay to the appliance.

  1. In the left tree section, select the appliances to apply the overlay.
  2. Select the Add check box for the GRE overlay.
  3. Select Apply.


    Figure 16: Apply the overlay.

Set up pass-through tunnels

Create pass-through tunnels to service chain traffic to and from Silver Peak and Check Point.

  1. In the Orchestrator main screen, select Configuration > Tunnels. The Tunnels screen displays.
  2. Select the Passthrough tab.
  3. Select the pencil icon next to the appliance name to edit the appliance tunnel. A new screen opens.
  4. Select the Passthrough tab.
  5. Select Add Tunnel.
  6. In the Alias field, enter a name for the pass-through tunnel.
  7. From the Mode list, select GRE.
  8. From the Admin list, select up.
  9. In the Local IP field, enter the IP address of the Silver Peak EdgeConnect appliance.
  10. In the Remote IP field, enter the IP address of the Check Point tunnel that was presented at the Check Point Infinity Portal under Site Instructions.
  11. From the NAT list, select none.
  12. In the Peer/Service field, enter the name of the service that you gave at BIO screen, for example CheckPoint.
  13. For Auto Max BW Enabled, select the check box.
  14. Select Save.


    Figure 17: Passthrough tunnel.

Check your route policies

A BIO automates the creation of route policies, and generally determines to which destination a packet is routed. Route policy settings are used for exceptions to the BIO configuration.

  1. In the Orchestrator main screen, select Configuration > Route Policies.
  2. View your route policy to make sure your tunnels are set up correctly.


    Figure 18: Route policies.

Monitor the traffic flow

After you set up GRE tunnels, examine the traffic behavior.

  1. In the Orchestrator main screen, select Monitoring > Active & Recent Flows.
  2. Monitor the traffic flows in the flows table.


    Figure 19: Monitoring flows.

Set up an active-active configuration

This section describes how to set up a two tunnel active-active configuration to send traffic to and from Check Point.

Configure a deployment profile

Use deployment profiles to standardize your deployments, configuring the LAN interfaces and WAN interfaces of your GRE tunnels.

  1. In the Orchestrator main screen, right click the EdgeConnect appliance that you want to add GRE tunnels.
  2. Select Deployment.

    The Deployment screen displays.

  3. In the Deployment screen, create your LAN interfaces and WAN interfaces. In this example, the deployment profile has lan0, lan1, wan0, and wan1.
  4. From the FW Mode list, select your preferred firewall mode.
  5. Set the bandwidth and next hop IP addresses.
  6. Select Apply.


    Figure 20: Logical deployment of two GRE tunnels to Check Point.

  7. Configure Business Intent Overlay policies

    A business intent overlay (BIO) specifies how traffic with particular characteristics are handled within the network. In an active-active configuration, create a single service that points to the two Check Point GRE tunnels in the BIO screen.

    To use the GRE tunnels in a business intent overlay, complete the following steps.

    1. In the Orchestrator main screen, select Business Intent Overlay. The Business Intent Overlay screen displays.
    2. From the Overlays list, choose GRE or the overlay of your choice.
    3. In the Internet Traffic section, select the pencil icon next to Policies.
    4. In the Service Name field, add a new service object representing the Check Point peer/service. Type a new name that suits the Check Point service such as Check Point Cloud.
    5. Select Add.
    6. Select Close to return to the previous screen.
    7. From the Business Intent Overlay screen, move the Check Point service to the Preferred Policy Order section.
    8. In the Preferred Policy Order section, move the Check Point service above the other policies.

      Note: By moving the Check Point service to the top of the list, all internet-bound traffic passes through the Check Point GRE tunnel. If the tunnel is down, traffic backhauls via the overlay.

    9. Select Save all to apply all changes.


      Figure 21: Business Intent Overlays for internet traffic.

    10. You configured business intent overlay policies that point to the GRE tunnel.

      Apply the overlay to the appliance

      For the BIO to take effect, apply the overlay to the appliance.

      1. In the left tree section, select the appliances to apply the overlay.
      2. Select the Add check box for the GRE overlay.
      3. Select Apply.


        Figure 22: Apply the overlay.

      Set up pass-through tunnels

      Create two pass-through tunnels to service chain traffic to and from Silver Peak and Check Point.

      1. In the Orchestrator main screen, select Configuration > Tunnels. The Tunnels screen displays.
      2. Select the Passthrough tab.
      3. Select the pencil icon next to the appliance name to edit the appliance tunnel. A new screen opens.
      4. Select the Passthrough tab.
      5. Select Add Tunnel.
      6. In the Alias field, enter a name for the pass-through tunnel, such as to_Checkpoint.
      7. From the Mode list, select GRE.
      8. From the Admin list, select up.
      9. In the Local IP field, enter the IP address of the Silver Peak EdgeConnect appliance.
      10. In the Remote IP field, enter the IP address of the Check Point tunnel that was presented at the Check Point Infinity Portal under Site Instructions.
      11. From the NAT list, select none.
      12. In the Peer/Service field, enter the name of the service that you gave at BIO screen, for example CheckPoint.
      13. For Auto Max BW Enabled, select the check box.
      14. Select Save.
      15. Create a second tunnel by repeating steps 5 through 14. Give the second tunnel an alias name, such as to_Checkpoint_2.


        Figure 23: Passthrough tunnel.

      Check your route policies

      A BIO automates the creation of route policies, and generally determines to which destination a packet is routed. Route policy settings are used for exceptions to the BIO configuration.

      1. In the Orchestrator main screen, select Configuration > Route Policies.
      2. View your route policy to make sure your tunnels are set up correctly.


        Figure 24: Route policies.

      Confirm the flow behavior

      Confirm that the flows are behaving correctly.

      1. Send four flows to the internet. Confirm that two flows go through the first Check Point tunnel. Confirm that the other two flows go through the second Check Point tunnel.


        Figure 25: Example of four traffic flows to the internet.

      2. Turn off the active Check Point tunnel. Confirm that all traffic goes through the second Check Point.


        Figure 26: Example of traffic behavior after turning off the first tunnel.

      3. Turn on the active Check Point tunnel. Confirm that traffic load balances between the two tunnels.


        Figure 27: Example of traffic behavior after turning on the first tunnel.

Set up an active-standby configuration

This section describes how to set up a two tunnel active-standby configuration to send traffic to and from Check Point.

Configure a deployment profile

Use deployment profiles to standardize your deployments, configuring the LAN interfaces and WAN interfaces of your GRE tunnels.

  1. In the Orchestrator main screen, right click the EdgeConnect appliance that you want to add GRE tunnels.
  2. Select Deployment.

    The Deployment screen displays.

  3. In the Deployment screen, create your LAN interfaces and WAN interfaces. In this example, the deployment profile has lan0, lan1, wan0, and wan1.
  4. From the FW Mode list, select your preferred firewall mode.
  5. Set the bandwidth and next hop IP addresses.
  6. Select Apply.


    Figure 28: Logical deployment of two GRE tunnels to Check Point.

Configure Business Intent Overlay policies

A business intent overlay (BIO) specifies how traffic with particular characteristics are handled within the network. In an active-active configuration, create two services that point to the Check Point GRE tunnels CheckPoint and

CheckPoint_2 in the BIO screen.

To use the GRE tunnels in a business intent overlay, complete the following steps.

  1. In the Orchestrator main screen, select Business Intent Overlay. The Business Intent Overlay screen displays.
  2. From the Overlays list, choose GRE or the overlay of your choice.
  3. In the Internet Traffic section, select the pencil icon next to Policies.
  4. In the Service Name field, add a new service object representing the Check Point peer/service. Type a new name that suits the Check Point service such as Check Point Cloud.
  5. Select Add.
  6. Select Close to return to the previous screen.
  7. From the Business Intent Overlay screen, move the Check Point service to the Preferred Policy Order section.
  8. In the Preferred Policy Order section, add the Check Point services, one below the other.

    Note: By moving the Check Point service to the top of the list, all internet-bound traffic passes through the Check Point GRE tunnel. If the tunnel is down, traffic backhauls via the overlay.

  9. Select Save all to apply all changes.


    Figure 29: Business Intent Overlays for internet traffic.

You configured business intent overlay policies that point to the GRE tunnel.

Apply the overlay to the appliance

For the BIO to take effect, apply the overlay to the appliance.

  1. In the left tree section, select the appliances to apply the overlay.
  2. Select the Add check box for the GRE overlay.
  3. Select Apply.


    Figure 30: Apply the overlay.

Set up pass-through tunnels

Create two pass-through tunnels to service chain traffic to and from Silver Peak and Check Point.

  1. In the Orchestrator main screen, select Configuration > Tunnels. The Tunnels screen displays.
  2. Select the Passthrough tab.
  3. Select the pencil icon next to the appliance name to edit the appliance tunnel. A new screen opens.
  4. Select the Passthrough tab.
  5. Select Add Tunnel.
  6. In the Alias field, enter a name for the pass-through tunnel, such as to_CheckPoint.
  7. From the Mode list, select GRE.
  8. From the Admin list, select up.
  9. In the Local IP field, enter the IP address of the Silver Peak EdgeConnect appliance.
  10. In the Remote IP field, enter the IP address of the Check Point tunnel that was presented at the Check Point Infinity Portal under Site Instructions.
  11. From the NAT list, select none.
  12. In the Peer/Service field, enter the name of the service that you gave at BIO screen, for example CheckPoint.
  13. For Auto Max BW Enabled, select the check box.
  14. Select Save.
  15. Create a second tunnel by repeating steps 5 through 14. Use the service name CheckPoint_2 and the alias name to_Checkpoint_2.


    Figure 31: Passthrough tunnel.

Check your route policies

A BIO automates the creation of route policies, and generally determines to which destination a packet is routed. Route policy settings are used for exceptions to the BIO configuration.

  1. In the Orchestrator main screen, select Configuration > Route Policies.
  2. View your route policy to make sure your tunnels are set up correctly.


    Figure 32: Route policies.

Monitor the traffic flow

After you set up GRE tunnels, examine the traffic behavior.

  1. In the Orchestrator main screen, select Monitoring > Active & Recent Flows.
  2. Monitor the traffic flows in the flows table.


    Figure 33: Monitoring flows.

Confirm the flow behavior

Confirm that the flows are behaving correctly.

  1. Send four flows to the internet. Confirm that all flows go through the active Check Point tunnel.


    Figure 34: Example of four traffic flows to the internet.

  2. Turn off the active Check Point tunnel. Confirm that all traffic goes through the standby tunnel.


    Figure 35: Example of traffic behavior after turning off the active tunnel.

  3. Turn on the active Check Point tunnel. Confirm that traffic goes through the active tunnel.


    Figure 36: Example of traffic behavior after turning on the active tunnel.

Monitor Cybersecurity Events at the Check Point Infinity Portal

In the previous step we confirmed that end-to-end connectivity is working as expected. In this step we will observe which attacks were prevented by Check Point’s various cybersecurity engines.

  1. Sign in to the Check Point Infinity Portal at https://portal.checkpoint.com/signin/cloudguardnsaas


    Figure 37: Check Point Infinity Portal.

  2. Once you are logged into the Check Point Infinity Portal, make sure that you are currently looking at the Network Security as a Service application.


    Figure 38: The title says Network Security as a Service.

  3. If the title says a name of a different application, click the application switcher icon at the top-left corner () and select Network Security as a Service.


    Figure 39: Changing between different applications at the Check Point Infinity portal to Network Security as a Service.

  4. Navigate to Logs.

    The Logs screen displays with 4 different tabs.


    Figure 40: Check Point Logs view.

  5. Click the Cyber Attack View tab to observe attacks that were prevented by Check Point.
  6. Click the Access Control tab to observe malicious applications that were prevented by Check Point, as well as total consumed traffic and visibility at the applications that were access the most by your end-users.
  7. Click the Application and URL Filtering tab to generate a real-time report of your branch office cybersecurity posture. You can export this report to PDF by clicking the Menu at the top-right.
  8. Navigate to Policy to view and change your security policy for Access Control, Threat Prevention and HTTPS Inspection.

    Note: Changes to security policies are not applied until clicking Install Policy.


    Figure 41: Check Point Policy view.



    Figure 42: Check Point Access Control Policy view.

Summary

In this guide, we integrated Silver Peak's networking expertise with Check Point's cybersecurity expertise. We used GRE protocol to connect a Silver Peak EdgeConnect device to a cloud service managed by Check Point, in order to apply Check Point's cybersecurity for branch office users. We used Check Point's Network Security as a Service web-based management and Silver Peak Orchestrator.