Introduction

This Demo will show the user how to set up NVS IPsec tunnels and service chain traffic from a VMware SD-WAN appliance to the Check Point CloudGuard Connect.

Check Point’s security product line includes: Preventing known attacks using reputation services, signatures and bot communication prevention, preventing unknown attacks using cloud-based sandboxing, an Access Control policy including  HTTPS Inspection and Application Control, and a web-based management for security events and log monitoring, policy and site configuration.

Configure the VMware SD-WAN end  

• Log into the VMware SD-WAN Orchestrator. 
• Navigate to Configure > Network Services. 
• Scroll down to Non-VeloCloud Sites. 
• Click on New… 
• Name should be an alias for this tunnel. In this case, we will name it CP-NSAAS. 
• Type should be Check Point.
• Primary VPN Gateway should be the current IP address of your first tunnel from the previous section. 
• Secondary VPN Gateway should be the current IP address of your second tunnel from the previous section. 
• Click Next. 
• Click on Disable Site Subnets. 

Configure additional settings for the Check Point Service. 

• Enable Tunnel(s) should be checked. 
• Authentication should be set to None. 
• Site Subnets should remain empty. This means that Internet access is protected by Check Point 
• Click Advanced to edit the advanced settings: 
• Set the Tunnel Settings for Primary VPN Gateway: 
• PSK should be set to this Pre-Shared Key: 
• Encryption should be set to AES 256. 
• DH Group should be set to 2. 
• PFS should be set to disabled. 
• Set the Tunnel Settings for Secondary VPN Gateway: 
•  PSK should be set to this Pre-Shared Key: 
• Click and select Encryption to AES 256. 
• DH Group should be set to 2. 
• Click PFS to be disabled. 
• Redundant VMware SD-WAN Cloud VPN should be unchecked 
• Click Save changes
• Click to Enable tunnel 
• Optionally view IKE/IPsec Template to go over command-line description of your settings so far. 
• Copy the IP address of the VMware SD-WAN Gateway. We will use this IP address at Check Point in the later steps. 
•  Click Close. 
• Your Check Point configuration should appear under Non-VeloCloud Sites. 

Activate the Site at VMware SD-WAN Orchestrator 

• Navigate to Configure > Profiles. 
• Click the Profile which relates to the VeloCloud Edges you would like to connect to Check Point’s CloudGuard Connect. We will edit this profile and set it to use the Non-VeloCloud Site that we configured in the previous sections. 
• Click on the  Device tab. 
• Scroll down to the Cloud VPN section, and edit the following at the Branch to non-VeloCloud Site: 
• Select the Check Point Non-VeloCloud Site that you configured in the previous sections. 
• Click Enable to enable the Branch to Non-Velocloud Site.
• Cloud VPN should be checked. 
• Click to select the NVS Site to Check Point CloudGuard Connect.
• Save Changes. 

Route traffic from your branch office to Check Point’s CloudGuard Connect

• Navigate to Configure > Profiles. 
• Select the Profile which relates to the VMware SD-WAN Edges. 
• Navigate to Business Policy. 
• Click New Rule…  
• Name should be a short description of the rule, such as Traffic to Check Point. 
•  Click to select destination as Internet.
• Scroll down to Action. 
• Click to select Network Service as Internet Backhaul. 
•  Non-VeloCloud Site should be checked. 
• Click to Select the Check Point Site that you defined as a non-VeloCloud site in the previous sections. 
• NAT should be disabled. 
•  Click OK. 
• Click on Save Changes.
• Click on Monitor.
• Click on Edges.
• Click on Network Services.
• Check out the Events to confirm that the tunnel has been established.

Let us move over to the Check Point CloudGuard Connect portal now. 

Protecting sites with IPsec tunnels 

• Sign into the Check Point Infinity Portal at https://portal.checkpoint.com 
•  Once you are logged into the Check Point Infinity Portal, make sure that you are currently looking at the Network Security as a Service application.  
• Navigate to Sites. 
• The Sites screen displays
• Click Edit to see the settings 
• Press the + button to create a new site. A site represents your VMware SD-WAN Cloud Gateway. 
• The CREATE NEW SITE screen displays. 
• In the Site Name field, enter a name for the Site. 
• In the Location of the cloud service field, select a location that suits your site. Check Point’s CloudGuard Connect inspects traffic from your branch office to the Internet with a cloud service that resides in one of these locations. So typically, you would want to select the location of the cloud service with an option that is closest to the location of your site, in order to achieve the best performance. For some countries, most notably South America or the Middle East, the best choice for Location of the cloud service might be presence of a strong cross-country Internet link.
• In the Comments field, enter an optional description of the site. 
• For the purpose of this guide we will choose IPsec – Pre-Shared Key as Tunnel Type. 
• In the External IP field, we will add the Public IP addresses of the two VMware SD-WAN Gateways in our Gateway Pool.
• In the Internal Subnets page, enter the IP address of your internal networks in the branch offices. 
• Check Point’s CloudGuard Connect applies its cybersecurity features on any traffic coming from these network addresses 

Test the overall configuration 

• Send traffic from behind your Site into the Internet. 
• Navigate to Monitor > Edges 
• See the Edge where you sent the traffic from. 
• Check that the traffic is displayed. 

Configuring an Access control Policy on Check Point CloudGuard Connect Portal  

• Navigate to Network Security as a Service within the portal 
• Click on Policy and then access control. 
• On the Block Action define the source as your branch traffic and in the destination block www.espn.com as an example URL block policy. 
• Select Install policy. 
• Verify that the NVS tunnel between VMware SD-WAN Gateway and CloudGuard Connect is now operational. 
• Ping to the IP address 100.126.0.4 which is specified in the Check Point portal. 
• Now to verify that the installed policy is working, we will go to www.espn.com. 
• As we can see, the client machine which is behind our Edge Device is unable to reach www.espn.com
• We can check the Logs to see the allowed and blocked traffic. 
• We can see that we can browse to www.cnn.com which is not blocked by the policy. 

Summary 

In this Demo we integrated VMware SD-WAN with Check Point CloudGuard Connect. We used IPsec protocol to connect a VMware SD-WAN branch to a cloud service managed by Check Point, in order to apply Check Point’s cybersecurity for branch office users. We used Check Point’s CloudGuard Connect web-based management and VMware SD-WAN Orchestrator.