Integration with Check Point

With more services moving to a cloud-based architecture, one of the most common requirements is to allow SD-branches to route traffic to its intended destination using the Internet. Direct access from branch to the Internet allows faster delivery and efficient use of bandwidth as opposed to tunneling traffic to an aggregation point before routing it to its final destination. However, allowing branch devices to directly connect to the Internet may introduce security issues.

To enhance branch security and provide advanced threat protection, Aruba supports SD-Branch integration with third-party cloud network security services such as Check Point. Check Point Network Security as a Service is a cloud security platform that provides Check Point threat prevention and access control for branch offices. With the Check Point integration, network administrators can connect Aruba Gateway device to Network Security as a Service to leverage Check Point’s best-in-class network security services and deploy a secure SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. network.

The SD-Branch integration with Check Point offers the following benefits:

Supported IKE and IPsec Cryptographic Profiles

The Aruba Branch Gateway and Check Point support several options for setting up VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels. Aruba and Check Point recommend using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. for cloud security.

The following encryption settings are recommended for tunnel configuration.

Table 1: Tunnel Encryption

Parameters

Phase 1

Phase 2

Confidentiality

AES Advanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-256

AES-256

Integrity

SHA1

SHA1

Authentication

Username/password

N/A

Key Exchange Method

Diffie-Hellman

Diffie-Hellman

Diffie-Hellman Group

Group 2

-

Configuration Steps

The SD-Branch integration with Check Point requires configuration the Check Point portal and Aruba Gateways.

Before you begin, perform the following checks:

  • The Aruba Gateways are connected to and managed from Aruba Central.
  • You have access to the Check Point web portal and administrative credentials to set up tunnels with Aruba Gateways.

To enable Aruba SD-Branch integration with Check Point, complete the following configuration steps:

Configuring Check Point for SD-Branch Integration

To configure Check Point for SD-Branch integration:

  1. Log in to the Check Point Portal.
  2. Access Network Security As A Service app.
  3. Create a site. The Create New Site wizard opens.
  4. Enter site details.
  5. Select the tunnel type as IPsec - Pre-Shared Key and define the external IP address and shared secret key.
  6. Set the IP address of the branch site as external IP address and configure subnets Subnet is the logical division of an IP network. for internal networks within a branch site.
  7. Confirm site creation.
  8. From the Network Security As A Service dashboard, select the site you just created and click View Instructions.
  9. Note the tunnel destination FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet..

The following figures illustrate the site creation procedure in Check Point portal.

Figure 1  Site Creation

Figure 2  Tunnel Configuration

Figure 3  Subnet Configuration

Figure 4  View Instructions

Configuring Aruba Gateways for Integration with Check Point

To enable Aruba Gateways to connect to Check Point, complete the following configuration steps:

Configuring IPsec Tunnels to Check Point

To configure an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel to Check Point:

Prerequisites

To define a probe responder to measure the quality of the different tunnels going to the third-party service, you must create an IP-SLA profile and associate it to a NextHop. For more information, see Configuring IP-SLA Profiles.

  1. To configure a Branch Gateway group or a Branch Gateway, complete either one of these steps:
    • To select a gateway group:
      1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

        The dashboard context for a group is displayed.

      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click Config.

        The configuration page is displayed for the selected group.

    • To select a gateway:
      1. In the Aruba Central app, set the filter to Global or a group that contains at least one Branch Gateway.
      2. Under Manage, click Devices > Gateways.

        A list of gateways is displayed in the List view.

      3. Click a gateway under Device Name.

        The dashboard context for the gateway is displayed.

      4. Under Manage, click Device.

        The gateway device configuration page is displayed.

  2. Click VPN > Cloud Security.
  3. In the IPSec Maps section, click + to open the New IPSec map section.
  4. Select Check Point - CloudGaurd Connect as the cloud security provider from the drop-down list.
  5. Enter a name for the IPsec map. The allowed character limit is 128.
  6. Enter a priority number for the IPsec map within a range of 1 to 9998. A priority value of 1 indicates the highest priority.
  7. Select one of the following options in Tunnel source based on your requirement. Select the Uplink VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to use for bringing up tunnels to Check Point (in the case of Branch Gateway) or the source VLAN in the case of VPNCs.
    • VLAN—Select a VLAN from the VLAN drop-down list.
    • Uplink VLAN—Select an uplink VLAN from the Uplink VLAN drop-down list.

      Ensure that you assign different priorities for different uplinks in the next-hop list configuration.

  8. In the Tunnel destination field, specify the FQDN address of the branch site configured in Check Point to which the tunnel will be established.
  9. Select one of the following options in the Representation type drop-down list:
    • Text-Based
    • Hex-Based
  10. In the IKE shared secret field, enter the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. pre-shared secret key that you configured on the Check Point portal and retype the secret key in Retype shared secret field to confirm.
  11. Select one of the following tunnel monitor probes:
  12. Enter one of the following Destination types:
    • IP Address—If you selected this option, then specify an IP address.

    • FQDN—If you selected this option, then specify an FQDN value.
  13. In Probe Destination, enter the probe destination.
    • If you selected IP address in Destination type, then specify an IP address.
    • If you selected FQDN in Destination type, then specify an FQDN value.
  14. Click Save Settings.
  15. Repeat steps 1 through 12 to add a secondary IPsec tunnel.

The following figure shows the sample configuration values:

Figure 5  Checkpoint Configuration

 

Configuring a Next-hop List

After configuring the tunnels, you can create a next-hop list to group the tunnels inside a routing policy.

Note the following points for next-hop list configuration:

  • If you want to use both (primary and secondary) IPsec tunnels in the Active-Active mode, assign the same priority for the tunnels.
  • If you want to use the tunnels in the Active-Standby mode, assign a higher priority for the tunnel that points to the primary node and enable Preemptive failover.

Figure 6  Next-hop Configuration

For more information, see Configuring Policies for PBR.

Adding the Next-hop List to a Routing Policy

After creating the next-hop list, you must add the next-hop list to a routing policy.

In the example shown in the following figure, the policy is sending all the traffic to private subnets through the regular path and the rest of the traffic through the Check Point nodes.

Figure 7  Routing Policy for Check Point

For more information on adding a next-hop list to a global routing policy, see Configuring Policies for PBR.

Applying Policies to a Role or VLAN

After you configure a routing policy, apply it to a role or VLAN.

The following figures illustrate the procedure for configuring a Check Point role and applying routing policies to a role and VLAN:

Figure 8  Apply Check Point Routing Policy to a Role

Figure 9  Apply Routing Policy to VLAN

For more information, see Applying Policies to Gateway Interfaces.

Verifying Tunnel Status

To verify the tunnel status:

  1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

    The dashboard context for a group is displayed.

  2. Under Manage, click Devices > Gateways.

    A list of gateways is displayed in the List view.

  3. Click a gateway under Device Name.

    The dashboard context for the gateway device is displayed.

  4. Under Manage, click Overview.
  5. Click Tunnels.

For more information, see Gateway > WAN > Tunnels.

You can also view the tunnel status and uplink health in the Monitoring & Reports > Topology page.