Check Point and Firebox Cloud BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) between WatchGuard Firebox Cloud in Amazon Web Services (AWS) and a Check Point device.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox Cloud
    • Fireware v12.3
  • Check Point 770
    • Version R77.20.75

Test Topology

This diagram shows the topology for a BOVPN connection between Firebox Cloud in AWS and a Check Point device.

CheckPoint and Firebox Topology

Configure Firebox Cloud

On the Firebox, configure a Branch Office VPN connection:

  1. Log on to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. To add a gateway, in the Gateways section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  4. In the Gateway Name text box, type the interface name.
  5. Under the Credential Method section, select Use Pre-Shared Key.
  6. In the adjacent text box, type the pre-shared key.

Screen shot of the General Settings tab

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IP Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the Local Gateway tab

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the public IP address of your Check Point connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the public IP address of your Check Point connection.
  6. Keep the default settings for all other options.

Screen shot of the Remote Gateway settings on the Firebox

  1. Click OK.

Screen shot of the General Settings tab

Next, configure the Phase 1 settings.

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. For all other settings, keep the default values.

Screen shot of the Phase 1 settings

  1. Click Save.

Screen shot of the BOVPN settings

Next, configure the Tunnels:

  1. On the Branch Office VPN page, in the Tunnels section, click Add.
    The Branch Office VPN Tunnel configuration interface appears.
  2. From the Gateway drop-down list, select the gateway that you added.

Screen shot of the Addresses tab

  1. In the Addresses section, click Add to configure tunnel routes for the tunnel.
  2. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  3. In the Network IP text box, type the network IP address.
  4. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  5. In the Network IP text box, type the network IP address.
  6. For all other settings, keep the default values.

Tunnels in WatchGuard Firebox

  1. Click OK.

Tunnels in WatchGuard Firebox

  1. Click Save.

Tunnels in WatchGuard Firebox

For more information about Branch Office VPN configuration on the Firebox, see Configure Manual BOVPN Gateways and Configure Manual BOVPN Tunnels

Configure the Check Point Device

To configure the Check Point device, you must specify several settings.

  1. Log in to the Check Point 770 Web UI. The default IP address and port is https://192.168.1.1:4434.
  2. Configure all needed Check Point 770 interfaces.
  3. From the navigation menu, select Users & Objects > Network Resources > Network Objects.
  4. Click New.
  5. From the Type drop-down list, select Network.
  6. In the Network address text box, type the Network IP address, which is the internal network IP address for WatchGuard Firebox Cloud.
  7. In the Subnet mask text box, type the subnet mask.
  8. In the Object name text box, type the object name.

Screen shot of the New Network Object dialog box

  1. Click Apply.
  2. Repeat Steps 3–8 to create another network Object, which is the internal Network IP address for the Check Point device.

Screen shot of the Check Point Object configuration

Next, configure the VPN Site:

  1. From the navigation menu, select VPN > Site to Site > VPN Sites.
  2. Click New to add new VPN site.
    The New VPN Site window appears.
  3. On the Remote Site tab, in the Site name text box, type the site name.
  4. From the Connection type drop-down list, select Host name or IP address.
  5. Select IP address and type the public IP address of remote device in text box.
  6. In the Authentication section, select Pre-shared secret.
  7. In the Password and Confirm text boxes, type the password.

Check Point VPN site config

  1. From the Encryption domain drop-down list, select Define remote network topology manually.
  2. To select the internal network IP address object for WatchGuard Firebox Cloud, click Select .

Check Point VPN site config

  1. Select the Encryption tab.
  2. From the Encryption settings drop-down list, select Custom.
  3. Under IKE (Phase 1), from the Encryption drop-down list, select AES-256.
  4. From the Authentication drop-down list, select SHA256.
  5. From the Diffie-Hellman group support drop-down list, select Group 14 (2048 bit).
  6. In the IPSec (Phase 2)section, from the Encryption drop-down list, select AES-256.
  7. From the Authentication drop-down list, select SHA256.
  8. Select Enable Perfect Forward Secrecy.
  9. From the Diffie-Hellman group support drop-down list, select Group 14 (2048 bit).
  10. Keep the default settings for all other options.

Check Point VPN site config

  1. Select the Advanced tab.
  2. Clear the Remote gateway is a Check Point Security Gateway check box.
  3. Select Allow traffic to the internet from remote site through this gateway.
  4. From the Encryption method drop-down list, select IKEv2.
  5. For all other settings, keep the default values.
  6. Click Apply.

Check Point VPN site config

Check Point VPN site config

Next, configure the Access Policy:

  1. From the navigation menu, select Access Policy > Firewall > Policy.
  2. In the Incoming, Internal and VPN traffic section, click New.
  3. For the source, select CPINT.
  4. For the destination, select WGINT.
  5. Keep the default settings for all other options.
  6. Click Apply.

Check Point policy config

  1. In the Incoming, Internal and VPN traffic section, click New.
  2. For the source, select WGINT.
  3. For the destination, select CPINT.

Check Point policy config

For more information about Check Point VPN configuration and supported IKE ciphers, see the Check Point 600/700 Appliances R77.20.75 Administration Guide.

Test the Integration

To test the integration:

  1. On the Firebox, add an ICMP policy from Any to Any.
  2. In Check Point, add an ICMP policy from Any to Any.
  3. From Fireware Web UI, select System Status > VPN Statistics.
  4. Select the Branch Office VPN tab. Data shows the VPN is established.

Screen shot of the BOVPN VPN statistics

  1. In Check Point, from the navigation menu, select VPN > VPN Tunnels. Shows tunnel active.

CheckPoint VPN Statistics

  1. On Host1, try to ping Host2.
    In our example, Host1 is a computer behind the Firebox. Host2 is a computer behind Check Point.
  2. On Host2, try to ping Host1. If both hosts can ping each other, the integration is successful.