Check Point and Firebox BOVPN Virtual Interface Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, refer to the documentation and support resources for that product.

This guide describes how to configure a Branch Office VPN (BOVPN) virtual interface between a WatchGuard Firebox and a Check Point device.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.11.2(B713726)
  • Check Point 770 with vR77.20.87(990173072)

Integration Topology

This diagram outlines the topology used in this integration:

Topology diagram

Configure the Firebox

This section shows two different configurations for a route-based BOVPN, based on the Firebox management tool you use. For a cloud-managed Firebox, go to Configure a route-based BOVPN for a Cloud-Managed Firebox; for Fireware Web UI, go to Configure BOVPN connection from the Fireware Web UI.

  1. Log in to WatchGuard Cloud with your WatchGuard Cloud operator account credentials.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.
  4. In the Name text box, type a descriptive name.
  5. From the VPN Connection Type drop-down list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Check Point.

    9. Screenshot of WGC, WGC define VPN endpoints

  9. Click Next.
    The VPN Gateways settings page opens.
  10. From your cloud-managed Firebox side, select the External network.
  11. From the IP or Domain Name or User on Domain drop-down list, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  12. At the Check Point side, in the IP or Domain Name or User on Domain text box, type the IP address of the Check Point WAN connection.
  13. In the Pre-shared Key text box, type a pre-shared key. This pre-shared key must be the same as the pre-shared key when you configure the pfSense IPSec VPN Phase 1 settings.

    14. Screenshot of WGC, WGC VPN Gateway

  14. Click Next.
  15. From your cloud-managed Firebox side, select the Internal network that you want to be accessible through the VPN tunnel.
  16. From the Check Point side, click Add Network Resource.
    The Add Network Resource dialog box opens.
  17. In the Network Resource text box, type the private network protected by the Check Point. For our example, we type 192.168.13.0/24.
  18. Click Add.
  19. From the cloud-managed Firebox section, in the Virtual IP Address text box, type an IP address. In this example, we type 10.0.11.11/32.
  20. From the Check Point section, in the Virtual IP Address text box, type an IP address. In this example, we type 10.0.11.10/32.

    21. Screenshot of WGC, WGC traffic private network

  21. For all other settings, keep the default values.
  22. Click Next.
    The Tunnel Routes page opens.
  23. In the Phase 1 Settings section, from the Authentication drop-down list, select SHA2-256.
  24. From the Encryption drop-down list, select AES-CBC (256-bit).
  25. In the SA Life text box, type 24.
  26. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  27. In the Phase 2 Settings section, from the Authentication drop-down list, select SHA2-256.
  28. From the Encryption drop-down list, select AES-CBC (256-bit).
  29. Select the Use Perfect Forward Secrecy (PFS) check box.
  30. From the PFS Group drop-down list, select Diffie-Hellman Group14.

    31. Screenshot of WGC, WGC phase 1 and phase 2 settings

  31. Keep all other settings at their default settings.
  32. Click Add.
  33. (Optional) To open the VPN Configuration Summary page in a new browser tab, click View Guide. To establish the VPN connection, configure the required settings on the Check Point.
  34. Click Finish.
    When you add a BOVPN for a cloud-managed Firebox, WatchGuard Cloud immediately creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key. Type the pre-shared key.

Screenshot of Firebox, picture1

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the By IP Address text box, type the primary IP address of the external Firebox interface.

Screenshot of Firebox, picture2

  1. Select the Remote Gateway tab.
  2. Select Static IP Address. Type the IP address of your Check Point WAN connection.
  3. Select By IP Address. Type the IP address of your Check Point WAN connection.

Screenshot of Firebox, picture3

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

Screenshot of Firebox, picture4

  1. Select the VPN Routes tab.
  2. Click Add.

Screenshot of Firebox, picture5

  1. From the Choose Type drop-down list, select Network IPv4.
  2. In the Route To text box, type the network IP address of a route that uses this virtual interface.

Screenshot of Firebox, picture6

  1. Click OK.
  2. Select the Assign virtual interface IP addresses check box.
  3. In the Local IP address and Peer IP address or netmask text boxes, type the virtual interface IP addresses.

Screenshot of Firebox, picture7

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other values as default Phase 1 Settings.

Screenshot of Firebox, picture8

  1. Keep all Phase 2 Settings as the default values.

Scree shot of Firebox, picture9

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, go to BOVPN Virtual Interfaces.

Configure the Check Point Device

Configure the VPN Site

  1. Log in to the Check Point 770 Web UI. The default IP address and port is https://192.168.1.1:4434.
  2. From the navigation menu, select VPN > Site to Site > VPN Sites.
  3. Click New to add a new VPN site.
    The New VPN Site window appears.
  4. On the Remote Site tab, in the Site name text box, type the site name.
  5. From the Connection type drop-down list, select Host name or IP address.
  6. Select IP address and type the public IP address of the remote device in the text box.
  7. In the Authentication section, select Pre-shared secret.
  8. In the Password and Confirm text boxes, type the password.
  9. From the Encryption domain drop-down list, select Encrypt according to routing table.

Screenshot of Check Point, picture1

  1. Select the Encryption tab.
  2. From the Encryption settings drop-down list, select Custom.
  3. In the IKE (Phase 1) section, from the Encryption drop-down list, select AES-256.
  4. From the Authentication drop-down list, select SHA256.
  5. From the Diffie-Hellman group support drop-down list, select Group 14 (2048 bit).
  6. In the IPSec (Phase 2)section, from the Encryption drop-down list, select AES-256.
  7. From the Authentication drop-down list, select SHA256.
  8. Select the Enable Perfect Forward Secrecy check box.
  9. From the Diffie-Hellman group support drop-down list, select Group 14 (2048 bit).
  10. Keep the default settings for all other options.

Screenshot of Check Point, picture2

  1. Select the Advanced tab.
  2. Clear the Remote gateway is a Check Point Security Gateway check box.
  3. Select the Enable Permanent VPN Tunnels check box.
  4. Select the Allow traffic to the internet from remote site through this gateway check box.
  5. From the Encryption method drop-down list, select IKEv2.
  6. For all other settings, keep the default values.

Screenshot of Check Point, picture3

  1. Click Apply.

Configure VPN Tunnel (VTI)

  1. Select Device > Network > Local Network.
  2. From the New drop-down list, select VPN Tunnel (VTI).
  3. In the VPN Tunnel ID text box, type a number to identify the VTI.
  4. In the Peer text box, type the tunnel name, which must be the same as the VPN site name.
  5. Select Numbered VTI.
  6. In the Local IPv4 address text box, type the virtual local IP address.
  7. In the Remote IP address text box, type the virtual remote IP address.

Screenshot of Check Point, picture4

  1. Click Apply.

Configure a Static Route

  1. Select Device > Network > Routing.
  2. Click New.
  3. In the Destination section, click Any to edit the IP address.
  4. Select Specified IP address.
  5. In the IP Address text box, type 192.168.35.0, which is the local IP address protected by the Firebox.
  6. In the Mask text box, type 255.255.255.0.

Screenshot of Check Point, picture5

  1. Click OK.
  2. From the Next Hop section, click N/A and select VPN Tunnel (VTI).
  3. From the drop-down list, select the vpnt1 tunnel that you created.

Screenshot of Check Point, picture6

  1. Click OK.
  2. In the Metric text box, type a number between 0 and 100.
  3. Click Apply.

Configure Network Objects

  1. From the navigation menu, select Users & Objects > Network Resources > Network Objects.
  2. Click New.
  3. From the Type drop-down list, select Network.
  4. In the Network address text box, type the network IP address, which is the internal network IP address protected by Firebox.
  5. In the Subnet mask text box, type the subnet mask.
  6. In the Object name text box, type the object name.

Screenshot of Check Point, picture7

  1. Click Apply.
  2. Repeat Steps 2–7 to create another network object, which is the internal network IP address protected by the Check Point device.

Screenshot of Check Point, picture8

Configure Access Policy

  1. From the navigation menu, select Access Policy > Firewall > Policy.
  2. In the Incoming, Internal and VPN traffic section, click New.
  3. For the Source, select the CPINT object that you created.
  4. For the Destination, select the WGINT object that you created.
  5. Keep the default settings for all other options.

Screenshot of Check Point, picture9

  1. Click Apply.
  2. Repeat Steps 2-6 to create another policy.

Screenshot of Check Point, picture10

For more information about Check Point VPN configuration and supported IKE ciphers, go to Check Point 700/900 Appliances R77.20.87 Administration Guide.

Test the Integration

To verify the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.
  4. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Check Point) can ping each other.

Screenshot of Firebox, picture10

To verify the integration, from WatchGuard Cloud:

  1. Log in to WatchGuard Cloud.
  2. From the navigation menu, select Monitor > Devices.
    If you log in with a Service Provider, you must select a Subscriber account from the Account Manager.
  3. Select your cloud-managed Firebox, and select Live Status > VPN > Branch Office VPN.

Screenshot of Firebox, picture11

To verify the integration, from the Check Point site:

  1. Select VPN > VPN Tunnels.
  2. Verify the VPN tunnel is established.

Screenshot of Firebox, picture11