Scribd Logo
Upload

Welcome to Scribd!

  • Configuring Site-To-Site VPN Between a Check Point Gateway and Netskope

    Uploaded by

    Roger Chavez
    1 views6 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    1 views6 pages

    Configuring Site-To-Site VPN Between a Check Point Gateway and Netskope

    Uploaded by

    Roger Chavez

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    Free Demo Contact Us Support Center Blog Welcome: Best Kasb | Sign Out

    TRY OUR PRODUCTS QUOTING TOOLS OFFERINGS / UPSELLS ASSETS / INFO SUPPORT / SERVICES

    Support Center > Search Results > SecureKnowledge Details

    Search Support Center

    Configuring Site-to-Site VPN between a Check Point Gateway and Netskope Technical Level

    My Favorites Email Print

    Solution ID sk179920

    Technical Level

    Product Site to Site VPN


    Version R80.40, R81, R81.10
    OS Gaia
    Platform / Model All
    Date Created 20-Sep-2022

    Solution
    Introduction

    This article describes best practices for configuring a Site-to-Site VPN between a Check Point Security Gateway R80.40 or higher and Netskope SASE solution.

    Netskope SASE provides two IP address to which you connect.

    Netskope can inspect traffic over the TCP port 80 and the TCP port 443.

    Users who cannot create a "Specific Proxy" for Netskope, can configure a VPN Redundant Tunnel, as this article describes.

    Recommendations

    1. If you have other VPN tunnels connected to the same Check Point VPN Gateway, then you must make sure that each VPN domain for other peers is configured
    correctly

    2. If the Check Point VPN peer is a ClusterXL, a Maestro Security Group, or a Scalable Chassis Security Group, then the VPN domain must not contain the
    Synchronization network. For Scalable Platforms (Maestro and Chassis), the IP addresses of the Sync networks are 192.0.2.0/24 and 198. 51.0.0/16

    Procedure

    1. Create a Group object (in our example, the object name is "netskope_remote_enc_dom_bypass") and add these:

    A. Internal networks behind the Check Point Security Gateway

    B. All remote VPN domains

    C. All public IP addressed of VPN peers


    D. All IP addresses that need to bypass the Netskope inspection

    E. All public IP addresses that do not send traffic through the VPN tunnel

    F. IP addresses of Synchronization networks of a ClusterXL, Maestro Security Group, or a Scalable Chassis Security Group

    2. Create a Group for remote VPN domain for Netskope (in our example, the object name is "netskope_remote_enc_dom_inspect") and add the predefined object
    "All_Internet"

    3. Create a Group with Exclusion (in our example, the object name is "netskope_remote_enc_enc_domain") and add these:

    A. The Group object "netskope_remote_enc_dom_inspect"

    B. The Group object "netskope_remote_enc_dom_bypass"

    4. Create two Interoperable Device objects (in our example, the object names are Netskope_Peer1 and Netskope_Peer2) with just a Public IP address. You configure the
    VPN domain settings in the VPN Community object.

    5. Create a Service Group (in our example, the object name is "NetskopeExcludedServices") for the required UDP services and TCP services, except 80 and 443:

    TCP: 1-79, 81-442, 444-65535

    UDP: 1-655535

    6. Create and configure a Star VPN community:

    A. Configure the Gateways:

    a. In the Center Gateways section, add the Interoperable Device objects Netskope_Peer1 and Netskope_Peer2

    Double-click each device > select User defined > select the Group "netskope_remote_enc_enc_domain" > click OK

    b. In the Satellite Gateways section, add the Check Point Gateway

    Double-click the Check Point Gateway object > select the Group object with the necessary networks to be routed through the VPN tunnel > click OK

    B. Configure the Encrypted Traffic settings:

    Clear the option "Accepted all encrypted traffic"

    C. Configure the Encryption settings:

    1. Encryption Method - select IKEv2 only

    2. In the Encryption Suite section, select Custom encryption suite

    3. For IKE Security Association (Phase 1):

    A. Encryption Algorithm - AES-256

    B. Data Integrity - SHA256

    C. Diffie-Hellman group - Group 14 (2048 bit)

    4. For IKE Security Association (Phase 2):

    A. Encryption Algorithm - AES-256


    B. Data Integrity - SHA256

    5. In the More section:

    A. For IKE Security Association (Phase 1):

    Clear Use aggressive mode

    B. For IKE Security Association (Phase 2):

    Select Perfect Forward Secrecy

    In the Diffie-Hellman group, select Group 14 (2048 bit)

    Screenshot:

    D. Configure the Tunnel Management settings:

    A. Select Set Permanent Tunnels

    B. Select On all tunnels in the community

    C. Select One VPN tunnel per Gateway pair

    Screenshot:
    E. Configure the VPN Routing settings:

    Select To center only

    F. Configure the MEP settings:

    A. Select Enable center gateways as MEP

    B. Select Manually set priority list

    C. Click the Set button

    D. Configure the priorities based on your location (do not configure the Satellite Gateways

    Example:

    Screenshot:
    G. Configure the Excluded Services:

    Select the Service Group object "NetskopeExcludedService"

    H. Configure the Shared Secret settings:

    A. Select Use only the Shared Secret for all external members

    B. Add the PSK for each peer

    I. Skip Wire Mode section

    J. Configure the Advanced settings:

    A. In IKE (Phase 1), configure 480

    B. In IPsec (Phase 2), configure 7200

    C. Select Disable NAT inside the VPN community

    Screenshot:
    K. Click OK to save the VPN community object.

    7. Enable the Deed Peer Detection:

    A. Close all SmartConsole windows.

    Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

    B. Connect with Database Tool (GuiDBedit Tool) to the Security Management Server / Domain Management Server.

    C. In the upper left pane, go to Table > Network Objects > network_objects.

    D. In the upper right pane, select the Check Point Security Gateway / Cluster object.

    E. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.

    F. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.

    G. In the upper right pane, select the Interoperable Device object Netskope_Peer1.

    H. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.

    I. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.

    J. In the upper right pane, select the Interoperable Device object Netskope_Peer2.

    K. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.

    L. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.

    M. Save the changes: go to the File menu > click Save All.

    N. Close the Database Tool (GuiDBedit Tool).

    8. Connect with SmartConsole to the Security Management Server / Domain Management Server.

    9. Configure the applicable Access Control rules

    10. Install the Access Control Policy

    Give us Feedback Please rate this document [1=Worst,5=Best]

    Enter your comment here


    Comment

    SECURE YOUR EVERYTHING ™ Follow Us    


    ©1994-2023 Check Point Software Technologies Ltd. All rights reserved.

    Copyright | Privacy Policy

    You might also like