Support Center > Search Results > SecureKnowledge Details
Connecting Check Point Security Gateways to Check Point Harmony Connect Technical Level
Solution

Overview

Check Point's Harmony Connect provides secure access and prevents threats for anyone and anywhere connecting to the Internet. Customers can connect their branch offices or remote users and enjoy up-to-date security delivered as a service.

To secure branch offices:
  1. Log into Infinity Portal or create a new account for your company.
  2. Click the Menu   and select  Harmony Connect.
  3. From Getting Started, select Internet access for users at Branch Offices.
    1. Click Add Branch Office. Follow the onscreen instructions to complete the definition of your first branch site. 
    2. When the Branch Office status changes to Waiting for traffic, click Configure branch device.
    3. Follow the onscreen instructions to get the IPsec configuration properties, pre-shared key, tunnel addresses, and the traffic routes.

Connecting Check Point Gateways as branch devices

Connect your device to Harmony Connect by creating two IPsec tunnels. These instructions refer to SmartConsole, version R80.10 and higher.

Step 1: Get the IP addresses of the IPsec tunnels

Check Point's IPsec tunnel addresses are FQDN domains. For Check Point security gateways, you will need to get the IP address of the tunnel. We will use these IP addresses in the next steps. Use nslookup on the tunnel destination address that appeared at the instructions at Check Point Infinity Portal.

Note: Check Point does not guarantee by default preservation of the IP address behind its tunnel addresses. In case you need to use fixed IP addresses of the Check Point tunnels in production, open a support ticket to Check Point with the current tunnel destination address. Fixed IP addresses are not available for trial customers.
  

Step 2: Create Your First Interoperable Device Object representing Harmony Connect

  1. Open Check Point SmartConsole.
  2. From the object bar on the right pane, click New > More > Network Object > More > Interoperable Device.

  3. Enter these details in the Interoperable Device window that opens:
    1. In the Name, mention Harmony Connect, for example, Harmony_Connect_Service_1
    2. Set the IPv4 Address to <tunnel 1 external IP address>.
  4. Click OK.

Step 3: Create Your Second Interoperable Device Object representing Harmony Connect

Repeat the previous step for a new Object, with these details:
  1. In the Name, mention Harmony Connect, for example, Harmony_Connect_Service_2
  2. Set the IPv4 Address to <tunnel 2 external IP address>.

Step 4: Create a VPN Community object

  1. In the object toolbar on the right pane, click New > More > VPN Community > Star Community.

  2. In the New Star Community window that opens, enter the Object Name that mentions connectivity to Harmony Connect, for example, <your_site_name>_to_Harmony_Connect.
  3. On the Gateways tab:
    1. Add two interoperable device objects from steps 1 and 2 as Center Gateways.
    2. Add your data center gateway as a Satellite Gateway.

  4. On the Encrypted Traffic tab:
    • Make sure to select Accept all encrypted traffic on with the Both center and satellite gateways option.

  5. On the Encryption tab:
    1. Set the Encryption Method to Prefer IKEv2, support IKEv1
    2. Set the Encryption Suite to Custom encryption suite.
      For IKE Security Association (Phase 1):
      • Set Encryption Algorithm to AES-256
      • Set Data Integrity to SHA1
      • Set Diffie-Hellman group to Group 2 (1024 bit)
      For IKE Security Association (Phase 2):
      • Set Encryption Algorithm to AES-256
      • Set Data Integrity to SHA1

  6. On the Tunnel Management tab:
    • Select Set Permanent Tunnels with the On all tunnels in the community option.

  7. On the VPN Routing tab:
    • Select To center or through the center to other satellites, to Internet and other VPN targets.

  8. On the Shared Secret tab:
    1. Select Use only Shared Secret for all external members.
    2. Set the shared secret to <shared secret>.
  9. Click OK.

    The VPN Community object is ready. 

Step 5: Enable DPD (Dead Peer Detection) on your data center gateway

Check Point Harmony Connect uses DPD (dead peer detection) over IPsec VPN to monitor connectivity with your data center site.
This step is mandatory if you want to receive traffic from Harmony Connect on your site, for example, the traffic that originates at your remote users or in your other offices. If you want to send traffic from the site to Harmony Connect and then to the Internet, this step is optional, but recommended.

Use the SmartConsole Command Line tool to enable DPD.
  1. Click Command Line on the menu.

  2. To find the UID of your data center gateway, run:
    show objects filter <your gateway name>

  3. To set the VPN settings of your gateway object for usage of DPD as the VPN connectivity method,  run: 
    set generic-object uid <UID from the previous step> vpn.tunnelKeepaliveMethod DPD

Step 6: Allow connectivity

  1. In SmartConsole, navigate to Security Policies and open the security policy that applies to your data center gateway.
  2. Navigate to Access Control.
  3. Add a new rule to send traffic from the site to Harmony Connect and then to the Internet:
    • Set Source to Any
    • Set Destination to the object All_Internet.
    • Set Action to Accept

Step 7: Deploy the changes

  1. In SmartConsole, on the top toolbar, click Publish.

    This makes all of your changes publicly available for other administrators to see.

  2. Confirm to publish your changes.
  3. Optionally, add a description to your changes.
  4. In SmartConsole, on the tab with the policy that you want to install on your gateway, click Install Policy.

  5. Confirm to install the policy.
  6. The policy installation take several minutes. You can track its progress on the Tasks pane in the bottom left corner.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment