Check Point firewall integration on SD-WAN 1100 platform

Citrix SD-WAN supports hostingCheck Point CloudGuard Edgeon SD-WAN 1100 platform.

TheCheck Point CloudGuard Edgeruns as a virtual machine on SD-WAN 1100 platform. The firewall virtual machine is integrated in Bridge mode with two data virtual interfaces connected to it. Required traffic can be redirected to the firewall virtual machine by configuring policies on SD-WAN.

Benefits

The following are the primary goals or benefits of Check Point integration on the SD-WAN 1100 platform:

• Branch device consolidation: A single appliance that does both SD-WAN and advanced security

• Branch office security with on-prem NGFW (Next Generation Firewall) to protect LAN-to-LAN, LAN-to-Internet, and Internet-to-LAN traffic

Configuration steps

The following configurations are needed to integrate Check Point firewall virtual machine on SD-WAN:

• Provision the Firewall Virtual Machine

• 使交通redirection to Security Virtual Machine

Note

防火墙virtual machine must be provisioned first before enabling the traffic redirection.

Provisioning Check Point firewall virtual machine

There are two ways to provision the firewall virtual machine:

• Provisioning through SD-WAN Center

• Provisioning through SD-WAN appliance GUI

防火墙virtual machine provisioning through SD-WAN Center

Prerequisites

• Add the secondary storage to SD-WAN Center to store the Firewall VM image files. For more information, seeSystem requirements and installation.

• Reserve the storage from the secondary partition for the Firewall VM image files. To configure the storage limit, navigate toAdministration > Storage Maintenance.

  • 从列表中选择所需的存储量。

  • Click应用程序ly.

  

Note

Storage is reserved from secondary partition which is active if the condition is met.

Perform the following steps for provisioning the firewall virtual machine through SD-WAN Center platform:

1. From Citrix SD-WAN Center GUI, navigate toConfiguration >selectHosted Firewall.

   

   You can select theRegionfrom the drop-down list to view the provisioned site details for that selected region.

2. Upload the software image.

   Note

   Ensure that you have enough disk space to upload the software image.

   Navigate toConfiguration > Hosted Firewall > Software Imagesand clickUpload.

   

3. Select the Vendor name asCheck Pointfrom the drop-down list. Click or drop the software image file in the box to upload.

   

   A status bar appears with the ongoing upload process. Do not clickRefreshor perform any other action until the image file shows 100% uploaded.

   • Refresh: ClickRefreshoption to get the latest image file details.

   • 删除: Click删除option to delete any existing image file.

   Note

   To provision firewall virtual machine on the sites part of non-default region, upload the image file on each of the collector node.

4. For provisioning, go back toHosted Firewall Sitestab and clickProvision.

   

   • Vendor: Select the vendor name asCheck Pointfrom the drop-down list.
   • Vendor Virtual Machine Model: The virtual machine model field is auto filled as Edge.
   • Region: Select the region from the list.
   • Software Image: Select the Image file to provision.
   • Sites for Firewall Hosting: Select sites for the list for firewall hosting. You must select both primary and secondary sites if the sites are in high availability mode.
   • Management Server Primary IP Address/Domain Name: Enter the management primary IP address or fully qualified domain name (Optional).
   • Virtual Machine SIC Key: Enter the virtual machine Secure Internal Communication (SIC) key. SIC creates trusted connections betweenCheck Pointcomponents.

5. ClickStart Provision.

6. ClickRefreshto get the latest status. After the Check Point virtual machine is completely bootup, it will reflect on the SD-WAN Center UI.

You canStart, Shutdown,andDeprovisionthe virtual machine as needed.

• Site Name: Displays the site name.
• Management IP: Displays the management IP address of the site.
• Region Name: Displays the region name.
• Vendor: Displays the vendor name (Check Point).
• Model: Displays the model -Edge.
• Admin State: State of the vendor virtual machine (Up/Down).
• Operation Status: Displays the last operation status message.
• Hosted Site UI Access: Use theClick Herelink to access the Check Point virtual machine GUI.

防火墙virtual machine provisioning through SD-WAN appliance GUI

On SD-WAN platform, provision and boot up the hosted virtual machine. Perform the following steps for provisioning:

1. From Citrix SD-WAN GUI, navigate toConfiguration > Appliance Settings >selectHosted Firewall.

2. Upload the software image:

   • Select theSoftware Imagestab. Select theVendor Nameas Check Point.
   • Choose the software image file.
   • ClickUpload.

   

   Note

   Maximum of two images can be uploaded. Uploading of the Check Point virtual machine image might take longer time depending on the bandwidth availability.

   You can see a status bar to track the upload process. The file detail reflects, once the image is uploaded successfully. The image that is used for provisioning cannot be deleted. Do not perform any action or go back to any other page until the image file shows 100% uploaded.

3. For provisioning, selectHosted Firewalltab > clickProvisionbutton.

   

4. Provide the following details for provisioning.

   • Vendor Name: Select theVendor Nameas Check Point.
   • Virtual Machine Model: The virtual machine model is auto filled asEdge.
   • Image File Name: The image file name is auto-populated.
   • Check Point Management Server IP Address/Domain: Provide the check point management server IP address/domain.
   • SIC Key: Provide the SIC key (Optional). SIC creates trusted connections betweenCheck Pointcomponents. Click应用程序ly.

   

5. ClickRefreshto get the latest status. After the Check Point virtual machine is completely bootup, it will reflect on the SD-WAN UI with the operations Log detail.

   

   • Admin State: Indicates if the virtual machine is up or down.
   • Processing State: Datapath processing state of the virtual machine.
   • Packet Sent: Packets sent from SD-WAN to the security virtual machine.
   • Packet Received: Packets received by SD-WAN from the security virtual machine.
   • Packet Dropped: Packets dropped by SD-WAN (for example, when the security virtual machine is down).
   • Device Access: Click the link to get the GUI access to the security virtual machine.

You canStart, Shutdown,andDeprovisionthe virtual machine as needed. UseClick Hereoption to access the Check Point virtual machine GUI or use your management IP along with 4100 port (management IP: 4100).

Note

Always use incognito mode to access the Check Point GUI.

Redirect traffic to Edge

Traffic redirection configuration can be done both through the Configuration Editor on MCN or Configuration Editor on SD-WAN Center.

To navigate through Configuration Editor on SD-WAN Center:

1. Open Citrix SD-WAN Center UI, navigate toConfiguration > Network Configuration Import. Import the virtual WAN configuration from the active MCN and clickImport.

   

Remaining steps are similar as following - the traffic redirection configuration through MCN.

To navigate through Configuration Editor on MCN:

1. SetConnection Match TypetoSymmetricunderGlobal > Networking Settings.

   

   By default, SD-WAN firewall policies are direction specific. The Symmetric match type match the connections using specified match criteria and apply policy action on both directions.

2. Open Citrix SD-WAN UI, navigate toConfiguration >expandVirtual WAN >selectConfiguration Editor >selectHosted Firewall TemplateunderGlobalsection.

   

3. Click+and provide the required information available in the following screenshot to add theHosted Firewall Template. ClickAdd.

   

Hosted Firewall Templateallows you to configure the traffic redirection to the防火墙virtual machinehosted on SD-WAN platform. The following are the inputs needed to configure the template:

• Name: The name of the hosted firewall template.
• Vendor: The name of the firewall vendor – Check Point.
• Deployment Mode: TheDeployment Modefield is auto populated and grayed out. For theCheck Pointvendor, the deployment mode isBridge.
• Model: Virtual Machine model of the hosted firewall. Once you selected the vendor asCheck Point, the model field is auto filled withEdge.
• Primary Management Server IP/FQDN: Primary management server IP/FQDN.
• Secondary Management Server IP/FQDN: Secondary management server IP/FQDN.
• Service Redirection Interfaces: These are logical interfaces used for traffic redirection between SD-WAN and hosted firewall.

Note

Redirection input interface has to be selected from connection initiator direction, output interface is automatically chosen for the response traffic. For Example, if outbound internet traffic is redirected to hosted firewall on Interface-1 then, response traffic is automatically redirected to hosted firewall on Interface-2. Also, there is no need of Interface-2 if there is no internet inbound traffic.

Only two data interfaces are assigned to Check Point virtual machine.

Note

SD-WAN firewall policies are auto created toAllowthe traffic to/from hosted firewall management servers. This avoids redirection of the management traffic that is originated from (or) destined to the hosted firewall.

Traffic redirection to firewall virtual machine can be done using SD-WAN firewall policies. There are two methods to create SD-WAN firewall policies - either through firewall policy templates inGlobalsection or site level.

Method - 1

1. From Citrix SD-WAN GUI, navigate toConfiguration >expandVirtual WAN > Configuration Editor. Select防火墙underConnections.

   

2. SelectPoliciesfrom theSectiondrop-down list and click+Addto create a new firewall policy.

   

3. Change thePolicy TypetoHosted Firewall. TheActionfield is auto filled to Redirect. Select theHosted Firewall Templateand theService Redirection Interfacefrom the drop-down list. ClickAdd.

   

Method - 2

1. Navigate to theGlobaltab and select防火墙Policy Templates. Click+ Policy Template.

   

2. Provide the policy template a name and clickAdd.

   

3. Click+ Addnext toPre-Appliance Template Policies.

   

4. Change thePolicy TypetoHosted Firewall. TheActionfield is auto filled toRedirect. Select theHosted Firewall Templateand theService Redirection Interfacefrom the drop-down list. ClickAdd.

   

5. Navigate to theConnections > Firewall, then select the firewall policy (that you have created) under the name field. Click应用程序ly.

   

While all the network configuration is up and running mode, you can monitor the connection underMonitoring > Firewall >underStatisticslist, selectFilter Policies.