Introduction

In this Demo, we will go through the process of Deploying a Check Point VNF on a VMware SD-WAN 520v Edge device. This Check Point VNF firewall will be service chained to the Edge device in transparent mode. Deploying a distributed firewall with the click of a button with SD-WAN CPE helps to avoid the truck rolls, costs and inflexibility associated with a stack of appliances.

Many customers prefer local internet breakout from the remote branch offices and prefer to keep security functions highly distributed. Service providers and large enterprise customers can easily deploy Check Point Check Point VNF (virtual firewall) on the VMware SD-WAN Edge, and program and manage this from remote locations. Check Point VNF can be inserted on the VMware SD-WAN Branch Edge with the click of a button, thus delivering a cost-effective and secure SD-WAN.

Let us begin the configuration on the VMware SD-WAN Orchestrator.

• Click on Network Services within the Configure section.
• Scroll down to the VNFs section 
• We currently have a Check Point VNF configured and we will review its configuration details
• Click on Check Point-FW.
• We will first give it a name.
• VNF type will be Check Point Firewall.
• We can use a SIC key that will also be used in the Check Point Manager.
• In this case, the VNF image does not reside on the Edge. Instead, it is stored on an S3 bucket which is publicly accessible.
• We will enter the VNF image location and version. The File Checksum type and Checksum will be auto populated.
• Download type will be https. 
• We will enter the Accesskeyid and SAK.
• Click on Save Changes.

We will now configure the Edge 

• Click on Edges within Configure.
• Click on the Device wrench in the VNF-520V.
• Click on the VNF Insertion button in the VLAN configuration.
• Click on Edit button in Security VNF.
• Click on Deploy
• Select the VLAN in which the management Interface will reside.
• Add a Management IP address
• Give it a hostname.
• We will select Image downloaded and Powered On option.
• Select the Security VNF Check Point-FW.
• Click on Update.
• Click on Save Changes.
• Click on Confirm button to confirm the changes.

We will now monitor the progress of the VNF

• Click on Edges within Monitor Section
• Click on the VNF Button and verify that the image download has been completed.
• Check the VM status and notice that it is currently not deployed.

Move over to the Check Point Smart Console.

• Click on New Object in the menu
• Click on New Gateway from the menu options
• Click on Wizard Mode. 
• Configure a name for the Gateway
• Select the Gateway Platform as 1430/1450 Appliance.
• Configure the same IP address as we used for the Management IP in VCO.
• Click Next
• Configure the same password as we used for the SIC Key in VCO.

Before we initiate Synch, let us verify that the VNF is Online on the Edge now.

• Click on the Edges. 
• In the VM status view, we can see that the VNF status is Powered On.

Back on the Check Point Smart Console

• Click the Connect button.
• Check out the interfaces from the Topology results.
• Click Close button
• Notice that the Trust is established now.
• Click Next 
• Select Firewall and NAT.
• Select Activate and configure software blades later.
• Click Next 
• Click Finish.
• Click on Publish from the top Menu.
• Click on Publish 

Let us now jump back to the VCO to verify things 

• Click on Events within Monitor.
• Check that the VNF config has been applied in the events. 
• Click on an event to see the details of the event. 
• Click on Close.
• We will verify the VNF status again.

Now we will verify from Check Point Smart Console if the VNF is communicating. 

• Click on Edit 
• Click on Communication.
• Click on Test SIC status 
• We can notice that is states Communicating.

We will now configure a Security Policy and Publish it to the Check Point VNF. 

• Click on Security Policies.
• We have allowed Branch to Branch traffic. 
• We have defined a policy denying ICMP traffic to Google DNS server 8.8.8.8
• Click on install Policy.
• Click on Install Button.
• We can also login to the Check Point VNF using the Management IP address of https://172.16.1.14:4434. Username admin and password admin.
• We can verify things are fully operational from here. 

Verification of the Security Policy 

• For this part, we will VNC to the Linux client behind the Edge device. 
• Let us try to ping the Remote Branch IP address 172.17.1.137.
• We can see that as per the policy this is allowed.
• We also check the Logs and Monitor section in the Check Point Smart Console.
• This verifies that our Security policy was successfully installed and the Check Point VNF is working normally.

Summary

In the Demo, we were able to successfully show the Instantiation of a Check Point VNF and show the steps needed to verify successful installation and push Security policies from the Check Point Smart Console to the VNF and verify that the policies were successfully installed.