Configure a Check Point VPN in Simplified Mode

book

Article ID: 165554

calendar_today

Updated On:

Products

CDP Integration Server

Issue/Introduction

It is possible to configure a Check Point Firewall in Simplified Mode.  As of the writing of this document the online Cloud documents provide the information required to configure a Check Point Firewall in traditional mode.

No extensive testing of this configuration has been completed although a tunnel was established and web traffic was protected by the Blue Coat Secure Web Cloud service. 

Resolution

This configuration example was taken from a Check Point UTM-1 running SecurePlatform R75.

IMPORTANT STEP

This information is not shown in the pictures below.  The Phase 2 timeout should be set to 120 seconds.  The reason for this is that the Blue Coat Cloud Security Service supports Dead Peer Detection (DPD) and Check Point firewalls use a different protocol/mechanism to detect a peer is down. If a data pod is taken down for maintenance that a Check Point firewall is connected to it will not detect the pod is unavailable and will believe the tunnel is still established until it renegotiates Phase 2.  Although 120 seconds is aggresive it will quickly recover if a pod it was connected to was taken down for any reason. 

UPDATE - Check Point have released a hot fix that supports DPD.  If this fix is used it is not necessary and strongly recommended that Phase 2 timeout is not set to 120 seconds.  Default timeout values of 3600 seconds will be sufficient.  The hot fix from Check Point is called R75.40VS LTE.  Release R77.10 and newer also contain fixes for DPD.

Summary of Steps

  • Create an address range to include all IP addresses
    • This will be used when defining the destination VPN domain
  • Create a simple group and add the address range defining the internet IP addresses
    • When defining the VPN domain it will not accept an address range but will accept a group
  • Creae a network object representing the internal subnet
    • In most cases this may already be created.  This will be used to define the local VPN domain
  • Create an Interoperable device
    • This defines the IPSEC end point in the Blue Coat Secure Web Cloud
  • Define the VPN domain on both end points
    • In simplfied mode the VPN configuration is domain based and both end point objects must have the VPN domain manually defined
  • Create and configure the VPN community
    • all IPSEC configurations will be defined in the community
  • Create firewall policy as needed

Creating the Objects

In ths SmartDashboard and from the menu bar select Manage --> Network Objects

Create Address range of the internet

Click New --> Address Ranges --> Address Range...
Enter a meaningful name and provide teh first and last IP as shown in the graphic below:


 

Click OK to save and return to the Network Objects window.

Create the Simple Group

click New --> Group --> Simple Group...
Provide a meaningful name and select the range created previously, as shown in the graphic below:

Click OK to save and return to the Network Objects window.

Create Network object defining the internal subnet

If a network object is not yet created that defines the internal subnet then create it now.  Click New --> Network...
Provide a meaningful name and defing the internal subnet as shown in the graphic below:

Click OK to save and return to the Network Objects window

Create an interoperable device

Click New --> Interoperable Device...
Provide a meaningful anme and enter an IP address of the Blue Coat Secure Web Cloud data center.  The IP addresses of the data centers can be found in the online documentation, http://portal.threatpulse.com/docs/am/Content/Deployment/Tasks/Checkpoint/chkpnt_plntbleprint.htm

The Seattle data center will be used in this example:

Click on Topology and select the Simple Group that was previously created for the manual VPN definition as shown in the graphic below:

Click OK to save changes and return to the Network Objects window.

Click close on the Network Objects window to return to the SmartDashboard.

Define VPN on Check Point Object

In the window pane on the left of the SmartDashboard navigate to Network Objects --> Check Point --> <your checkpoint object name> and double click to edit the object.

On the General properties screen confirm IPSEC VPN is checked in the Network Security tab:

click on Topology from the menu in the left window pane.  Manually define the VPN domain using the internal subnet object that exists or was created previously:

Click OK to save changes and return to the SmartDashboard.

Configure the VPN community

The community can be created as a Star or Mesh.  In this example a Mesh Community will be used.

Service objects will be created that are needed to exclude all protocols from the community except for port 80 and 443.

In the SmartDashboard go to the Sevices tab in the left window pane and then right click on TCP and select New TCP...
provide a meaningful name and enter 1-79 for the Port as shown in the graphic below:

Click OK to save the changes.  Repeat this step two more times for ports 81-442 and 444-65534 and provide unique meaningful names.

Any other protocols that should be excluded from the community can be created in the same way or existing service objects can be used when it comes time to define the exclusions.

Create a Group for these protocol exclusions by right clicking on the Group service object and selecting New Group...
Add the created TCP services that were just created.  In this example we will also include the existing DNS service object in the group list:

Click OK to save changes and return to the SmartDashboard.

In the SmartDashboard under the IPSec VPN tab create a new Meshed Community.  Provide a meaningful name:

 

Select participating gateways in the left menu.  Add both the interoperable device that was previously created and the Check Point object:

 

Select Tunnel Management from the menu and then select "One VPN tunnel per Gateway pair.":

Expand the Advanced Settings and select Excluded Services.  Add the protocol exclusions group that was created previously:

Select "Shared Secret" and enable "Use only Shared Secret . . ."  Select Peer Name and edit to enter the PSK:

Select "Advanced VPN Properties".  The default settings are acceptable but "Perfect Forward Secrecy" MUST be enabled using group 2, 5 or 14.  (Please note that IPsec (Phase 2) Renegotiate IPsec security associations timing should be reduced from 3600 seconds to 120 seconds if you are not running R77.10 or newer.  See the IMPORTANT NOTE at the beginning of the KB article for details.)  "Disable NAT inside the VPN community" SHOULD be enabled.  This will allow the clients real IP address to be seen in the Cloud which is important for reporting and can be used in policy.

Click OK to save changes to the community. 

After installing these policy changes on the Firewall the expected result will be all workstations on the internal subnet will have their port 80 and 443 traffic will be protected by the Blue Coat Secure Web Cloud service.

Firewall Policy

The need to add or modify firewall policy will be determined by the current firewall configuration.  This example had a firewall policy in place that allowed all internat web traffic to get NAT'ed and then sent to its destination.  After creating the above VPN community nothing else was needed in this example to have the traffic now protected.

Attachments