Professional Documents
Culture Documents
Configuring Site-To-Site VPN Between a Check Point Gateway and Netskope
Configuring Site-To-Site VPN Between a Check Point Gateway and Netskope
TRY OUR PRODUCTS QUOTING TOOLS OFFERINGS / UPSELLS ASSETS / INFO SUPPORT / SERVICES
Configuring Site-to-Site VPN between a Check Point Gateway and Netskope Technical Level
Solution ID sk179920
Technical Level
Solution
Introduction
This article describes best practices for configuring a Site-to-Site VPN between a Check Point Security Gateway R80.40 or higher and Netskope SASE solution.
Netskope can inspect traffic over the TCP port 80 and the TCP port 443.
Users who cannot create a "Specific Proxy" for Netskope, can configure a VPN Redundant Tunnel, as this article describes.
Recommendations
1. If you have other VPN tunnels connected to the same Check Point VPN Gateway, then you must make sure that each VPN domain for other peers is configured
correctly
2. If the Check Point VPN peer is a ClusterXL, a Maestro Security Group, or a Scalable Chassis Security Group, then the VPN domain must not contain the
Synchronization network. For Scalable Platforms (Maestro and Chassis), the IP addresses of the Sync networks are 192.0.2.0/24 and 198. 51.0.0/16
Procedure
1. Create a Group object (in our example, the object name is "netskope_remote_enc_dom_bypass") and add these:
E. All public IP addresses that do not send traffic through the VPN tunnel
F. IP addresses of Synchronization networks of a ClusterXL, Maestro Security Group, or a Scalable Chassis Security Group
2. Create a Group for remote VPN domain for Netskope (in our example, the object name is "netskope_remote_enc_dom_inspect") and add the predefined object
"All_Internet"
3. Create a Group with Exclusion (in our example, the object name is "netskope_remote_enc_enc_domain") and add these:
4. Create two Interoperable Device objects (in our example, the object names are Netskope_Peer1 and Netskope_Peer2) with just a Public IP address. You configure the
VPN domain settings in the VPN Community object.
5. Create a Service Group (in our example, the object name is "NetskopeExcludedServices") for the required UDP services and TCP services, except 80 and 443:
UDP: 1-655535
a. In the Center Gateways section, add the Interoperable Device objects Netskope_Peer1 and Netskope_Peer2
Double-click each device > select User defined > select the Group "netskope_remote_enc_enc_domain" > click OK
Double-click the Check Point Gateway object > select the Group object with the necessary networks to be routed through the VPN tunnel > click OK
Screenshot:
Screenshot:
E. Configure the VPN Routing settings:
D. Configure the priorities based on your location (do not configure the Satellite Gateways
Example:
Screenshot:
G. Configure the Excluded Services:
A. Select Use only the Shared Secret for all external members
Screenshot:
K. Click OK to save the VPN community object.
Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.
B. Connect with Database Tool (GuiDBedit Tool) to the Security Management Server / Domain Management Server.
C. In the upper left pane, go to Table > Network Objects > network_objects.
D. In the upper right pane, select the Check Point Security Gateway / Cluster object.
E. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.
F. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.
G. In the upper right pane, select the Interoperable Device object Netskope_Peer1.
H. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.
I. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.
J. In the upper right pane, select the Interoperable Device object Netskope_Peer2.
K. Press CTRL+F (or go to Search menu > Find) > paste tunnel_keepalive_method > click Find Next.
L. In the lower pane, right-click on the tunnel_keepalive_method > select Edit > select "dpd" > click OK.
M. Save the changes: go to the File menu > click Save All.
8. Connect with SmartConsole to the Security Management Server / Domain Management Server.