More Q&A
What about the BGP ASN? Should we leave it at the default value?
Default is just fine (private scope ASN per RFC), unless the organization has a public registered ASN they wish to use.
It's possible to set more than one vCPU for SecureXL with R80.20?
You are probably refer to the coupling of 1 NIC to 1 CPU. In R80.20 this should be much better.
Are their plans to support the same automated deployment functionality in other tools such as Terraform?
Not at the moment.
AWS limits their VPC VPNs to 1.25 gig bandwidth. Have you seen this limitation become a problem for users since traffic has to traverse to the transit VPC over that to reach another VPC?
In large scale environments or in case of an especially throughput-intensive spoke VPCs, this could be an issue. The solution we recommend is to deploy a Check Point gateway instead of the managed VPN gateway on the spokes using the new c5 instances, which we will support in the near future.
Does the "automation" you guys are referring to encompass the addition/removal of spoke VPCs?
Yes, it includes automation for all aspects of maintenance of the IPsec mesh.
Will this connect in the same way as my current network to my Splunk SIEM for monitoring?
Yes, with Log Exporter. See Log Exporter guide
What is the impact of the route based VPN in AWS on R80.20 on CoreXL and SecureXL?
Starting with R80.10, IPsec is optimized on multi core setups. Starting with R80.20, it includes SecureXL enhancements for better acceleration. The impact is not significant, and with c5 instances, it will be minimal.
Where is the max number of supported spoke VPC documented?? 35 was just mentioned.
Technically, there is no limitation in code. Up to 35 spokes is the recommended number of VPCs we've certified with average common throughput requirements.
Does the improvements to the API also encompass all common configuration items within IPSEC VPNs such as DH group for phase 2 as this is not currently supported?
This is in the roadmap.
Another question related to security, which kind of methods uses to inspect encrypted traffic between the VPN IPsec?
Since we’re terminating the IPSec tunnel on a Check Point gateway, we can inspect them with deep packet inspection , HTTPS Inspection, IPS, Anti-Bot, Anti-Virus, Application Control, URL Filtering, zero day protection, and more. Essentially every security engine Check Point gateway provides.
Is each gateway in the hub a member of AutoScaling group with 1 instance?
No, the solution is not deployed as autoscaling group. Autoscaling support will be added in the future (Check Point autoscaling, not referring to AWS standard autoscaling, which does not support IPsec).
It's possible to delete Datacenter objects automatically in SmartDashboard after the object was deleted in AWS? How can I find deleted Datacenter objects in SmartDashboard (like unused objects)?
When you delete the object in AWS, it will be marked as "deleted on server" but it won’t automatically be deleted from the policy. Of course you can delete it manually. The way to identify those objects is to view the info of the datacenter object, which will reflect it is deleted on server.
SK120534 no longer specifies to use conditional matches for traffic to VPC's within firewall policy but sk100726 still states to use conditional matches. Which approach is correct?
In both SKs, there is explanation how to use the “VPN Directional Match in VPN Column.”
The scripts responsible for deployment of the AWS VPC VPN Gateways as well as BGP config are located on the CP management server?
Yes.
Can datacenter objects be imported from multiple AWS accounts?
Yes
Can it be done through a single cross account IAM role?
Yes with sts:AssumeRole permission.
MDM is not supported yet. Technical Problem or will be considered later?
MDM on-premise is supported. MDM on AWS is planned.
!
