This article details the steps to configure a Check Point firewall to establish an IPSEC connection with the Web Security Service.

The instructions here are provided as a snapshot of content that is no longer included with the Web Security Service Help Centre. For current instructions to configure an IPSEC connection with your Check Point firewall, refer to the Check Point support site here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk53980 or consult the Check Point support team for assistance.

Symantec tested and validated that Check Point® devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the Simplified Mode with pre-shared secret method, which requires a unique gateway IP address (no NAT-T).

Version Demonstrated:

• Check Point Gateway running R77.30.
• Security Manager running R77.30.
• SmartConsole R77.30.
• EndPoint Security test with E80.50(8.3.937).

This procedure provides a guideline configuration that you can apply to the above model or other Check Point models. It is likely that you have an existing Check Point device configured in your network; therefore, slight alterations to the existing deployment might be required.

Note: R77.20 is the minimum supported version because of the Dead Peer Detection requirement.

Deployment Notes

• The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
• The device must have an external routeable IP address.
• Do not send Auth Connector traffic to the Web Security Service.
• You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
• The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.
  
  

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Prerequisite—Verify that the device is ready for configuration.

This procedure assumes that the Check Point device is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.

Step 1—Create Symantec Encryption Domain.

Create a Simple Group of the five IP Address Ranges that define all Internet addresses. These ranges include loopback, RFC1918, and Class D and E.

1. In the SmartDashboard, select Network Objects.
2. Right-click Address Ranges and select Address Ranges > Address Range.

       The interface displays the Address Range Properties dialog.

3.  Define the first IP Address range.

            a. Name the range.
            b. In the First IP address field, enter 1.0.0.0.
            c. In the Last IP address field, enter 9.255.255.255.
            d. Click OK.

4. Repeat Step 1.3 (above) four times to complete the Internet ranges.

            a. First IP address: 11.0.0.0; Last IP address: 126.255.255.255.
            b. First IP address: 128.0.0.0; Last IP address: 172.15.255.255.
            c. First IP address: 172.32.0.0; Last IP address: 192.167.255.255.
            d. First IP address: 192.169.0.0; Last IP address: 223.255.255.255.

5. Create the Simple Group. Remaining in the Network Objects applet, right-click Groups and select Simple Group.
   The interface displays the Group Properties dialog.
   

            a. Name the group.
            b. From the Not in Group area, select the five range objects that you created in Steps 1.3 and 1.4.
            c. Click Add to move them In Group.
            d. Click OK.

Step 2—Create the Local Encryption Domain.

When a location is active, all outbound port 80 and 443 web traffic routes through the VPN tunnel to the Web Security Service. The following example identifies the subnets that you want sent to the service for processing. 

Tip: Symantec assumes that this is an existing gateway device and that you have previously configured to send traffic to the Internet. If you do not have subnets configured, consult the documentation for your Check Point device.

1. In the Network Objects applet, right-click Groups and select Simple Group. The interface displays the Group Properties dialog.
    

            a. Name the group.
            b. From the Not in Group area, select internal subnets that transport Internet-bound traffic.
            c. Click Add to move them In Group.
            d. Click OK.

Tip: To perform Web Security Service testing, you can identify a single workstation to send rather than entire production subnets. When you are satisfied, edit the object to
add the production subnets. 

Step 3—Exclude Non-Web Traffic (Protocol Ports)

Create an protocol group that excludes the non-web protocols from inclusion in the VPN tunnel that connects to the Web
Security Service.

1. In the SmartDashboard, select Services.
2. Right-click Group and select New Group.
   The interface displays the Group Properties dialog.
   
3. Click New. The interface displays the Group Properties dialog.
   1. Name the object. For example, indicate that these are ports 1 to 79.
   2. In the Port field, enter 1-79. This excludes all ports up to 80 (web).
   3. Click Advanced. The interface displays the Advanced TCP Service Properties dialog.
   4. Select Match For 'Any'. This prevents policy installation warnings because of a possible already-defined port.
   5. Click OK, and OK again to close the Group Properties dialog.
4. Repeat Steps 3.1 through 3.3 to add two more groups.
   1. Mid-TCP-Ports: 81 to 442.
   2. High-TCP-Ports: 444 to 65535.
      This allows port 443 traffic into the VPN tunnel.
5. (Optional) You can also add ICMP and all UDP ports.

Step 4—Define the Gateway.

Create a Gateway (Interoperable Device) that points to the nearest Symantec datacenter for the configured location. Refer to this article for current Data Center addresses.

1. In the SmartDashboard, select IPSec VPN from the top ribbon.
2. From the left-menu, select Gateways.
3. From the Gateway options, click +Add.
   The interface displays the Interoperable Device dialog.
   1. Name the gateway.
   2. Enter the Web Security Service IPv4 Address.
   3. Click OK.
4. Add the Symantec Encryption Domain.
   1. Edit the new gateway.
   2.  From the left-menu, select Topology.
   3. In the VPN Domain area, select Manually Defined.
   4. Click the browse icon-button (...) and select the Encryption Domain that you configured in Step 1. 
   5. Click OK.
5. Add the Encryption Domain to your gateway configuration
   1. From the left-menu, select Gateways.
   2. Select the configured Check Point gateway and click Edit. The interface displays the Check Point Gateway dialog.
   3. Select Topology.
   4. Select the External interface.
   5. In the VPN Domain area, select Manually Defined.
   6. Click the browse icon-button (...) and select the Local Encryption Domain that you configured in Step 2.
   7. Click OK.

Step 5—Create the VPN Community

Add the Check Point gateway and the Symantec device to participating gateways.

1. In the SmartDashboard, select IPSec VPN from the top ribbon.
2. From the left-menu, select Communities.
3. From the Communities options, select New > Meshed Community.
   The interface displays the Meshed Community Properties dialog.
   1. Name the community.
   2. Select Participating Gateways.
   3. Click Add. 
      ​The interface displays the Add Participating Gateways dialog.
      
   4. The interface detects the available gateways.
      Select the Check Point gateway and the Web Security Service gateway that you created; click OK.
   5. From the left-menu in the dialog, select Tunnel Management.
      
   6. Under Permanent Tunnels, enable Set Permanent Tunnels.
      This is required for Dead Peer Detection in Step 6, below.
   7. Under VPN Tunnel Sharing, select One VPN tunnel per Gateway pair.
      Warning: Leaving this option at the default setting results in a substantial performance reduction.
   8. From the left-menu in the dialog, select Advanced Settings > Excluded Service.
      
   9. Click Add.
   10. In the Add Service dialog, scroll to and select the Excluded Protocols object that you created in Step 3.
   11. Click OK.
4. Establish the pre-shared key (PSK).
   Enter the key under Advanced Settings, select Shared Secret.
   ​
   1. The dialog contains the Web Security Service peer that you configured.
      Select it and click Edit.
   2. Enter the pre-shared key (Secret) used to by the Web Security Service to authenticate the tunnel and click Set.
      Tip: The PSK must be at least eight characters and cannot use special characters.
   3. Click OK.
5. Select the Internet Key Exchange algorithm and disable NAT-T. Remaining under Advanced Settings, select Advanced VPN Properties.
   
   1. Select Use Perfect Forward Secrecy.
      From the Use Diffie-Hellman Group drop-down list, select an encryption algorithm. The Web Security Service supports many combinations. 
   2. Verify that Disable NAT inside the VPN community is selected.
   3. Click OK.

Step 6—Enable Dead-Peer-Detection.

To avoid datacenter connection issues, you must enable Dead-Peer-Detection on your Check Point device. You cannot accomplish this through the SmartDashBoard. Rather, as of the versions of Check Point software used for this reference, you must use the Check Point Database Tool (GuiDBedit) to enable this option.

Note: If not done already, review step 5-3-e above and enable the option, Set Permanent Tunnels. The Tunnel Management section should appear as follows before you proceed:

1. Access the GuiDBedit program, which is located in the SmartConsole PROGRAM folder.
   1. For example, on Windows, the default path to navigate to is:
      C:\Program Files (x86)\CheckPoint\SmartConsole\R77.30\PROGRAM
   2. Run the GuiDBedit program. 
2. In the database tool, set Dead Peer Detection only on the Web Security Service gateway object(s).
   ​
   1. In the Tables tab, select Network Objects > Network Objects.
   2. Scroll through Object Names to locate the Web Security Service gateway object that you created.
   3. Scroll through the Field Names to locate tunnel_keepalive_method.
   4. Double-click dpd and enable it.
   5. Save the database tool changes.
3. Return to the SmartDashBoard and Install the policy.

Step 7—Exclude Auth Connector Traffic from the Web Security Service.

If Auth Connector traffic requires access to the Internet through the Check Point gateway, you must exclude that traffic from routing to the Web Security Service. Many datacenters have several to many Auth IP addresses. This step describes how exclude subnets verses manually configuring individual addresses.

Tip: If your Access Method is Trans-Proxy (IPsec over VPN), you can skip this step.

1. In the SmartDashboard, select Network Objects.
2. Right-click Networks and select Network.
   The interface displays the Network Properties dialog.
   
3. Define the first subnet.
   
   1. Name the property; for example, indicate that these addresses are for authentication traffic.
   2. In the Network Address field, enter the network address for the datacenter to which this location sends traffic.
      For example, several of the Auth Connector addresses for the Chicago, USA datacenter reside in 198.135.124.xxx. Therefore, enter 198.135.124.128.
   3. In the Net Mask field, enter the subnet mask. This instructs the object to include all addresses in this range.
   4. Click OK.
4. Add this object to the Excluded Domains object that you created in Step 1.