After you create a site at Check Point's Infinity Portal, configure Check Point as the Non VMware SD-WAN Site on the SD-WAN Orchestrator.

After you create a site at Check Point's Infinity Portal, complete the steps below:

Procedure

  1. From the SD-WAN Orchestrator, go to Configure > Network Services
  2. In the Non-VeloCloud Sites area, click the New button.
    The New Non-VeloCloud Site dialog box appears.

  3. Complete the following sub steps in the New Non-VeloCloud Site dialog box:
    1. Enter the Name of your site.
    2. Select Check Point from the Type drop-down menu.
    3. Type in the Primary VPN Gateway (and the Secondary VPN Gateway if necessary).
    4. Click Next.
      A dialog box for your Non VMware SD-WAN Site appears. (image below).

      Note: To configure tunnel settings to the Non VMware SD-WAN Site’s Primary VPN Gateway, click the Advanced button located at the bottom of the dialog box. Any changes made to Encryption, DH Group, or PFS will also be applied to the redundant tunnel configuration. After saving your changes, update the site's primary VPN Gateway device. Click on the "View IKE/IPSec Template" button for details.
  4. In the Primary VPN Gateway area, enter the following:
    1. PSK: Enter the Pre-Shared Key that was configured on the Check Point infinity portal. Do not configure redundant IPsec tunnels (keep the checkbox for Redundant VeloCloud Cloud VPN unchecked).
    2. Encryption: The Encryption should be set to the same algorithm that was configured on the checkpoint infinity portal.
    3. DH Group: The DH group should be set to the same value that was configured on the checkpoint infinity portal.
    4. For the purposes of this specific Check Point configuration, choose disabled from PFS drop-down menu.
  5. To add a Secondary VPN Gateway click the Add button. Clicking the Save Changes button will immediately create the Secondary VPN Gateway for this site and provision a VMware VPN tunnel to this Gateway.
    Note:

    For Checkpoint Non VMware SD-WAN Site, by default, the local authentication ID value used is SD-WAN Gateway Interface Public IP.

  6. As mentioned in Step 4a above, leave the Redundant VeloCloud Cloud VPN checkbox unchecked.
  7. For the purposes of the Check Point configuration, choose Default from the Local Auth Id drop-down menu.
  8. For the purposes of the Check Point configuration, check the Disable Site Subnets checkbox.
  9. Click Save Changes.
  10. Check the Enable Tunnel(s) checkbox once you are ready to initiate the tunnel from the SD-WAN Gateway to the Check Point CloudGuard VPN gateways.