| # |
Question |
Answer |
| 1 |
What is the range of the 'set AS', and should it be different for each site connection to the same cloud tenant? |
the range is 64512–65534
no - the same AS will be set for all connections with the same AWS Virtual Private Gateway |
| 2 |
How will you handle dual ISP for on-prem? |
AWS doesn't allow configuring of the 'Customer Gateway' with multiple external interfaces.
In order to achieve redundancy in the Checkpoint Side, you can configure them in AWS console as 2 separate objects of 'Customer Gateway'. |
| 3 |
Do we need to open or allow any communication port on both the on-prem or AWS side to allow the communication? |
You will need to connect to your account on the cloud via CloudGuard controller. (By creating the datacenter object on the Management server and connecting successfully). |
| 4 |
Are you going to do VWAN in Azure? It's very different, and we are having issues ........ |
Azure VWAN also supported |
| 5 |
What is the default type of IKE version - 1 or 2, from the AWS site? |
IKEv1 |
| 6 |
Will the recording session be available for users like me? |
It will be available on Checkmates. |
| 7 |
Also, a cluster with dual isp? |
the same solution for clusters with multiple public IPs - the AWS side is familiar only with the external VIP |
| 8 |
What about ports or communication to allow for eg, ike ipsec bgp at on-prem or cloud security on aWS? |
Once you enable the VPN blade on the Security Gateway object, all the required VPN-related rules (IKE/IPsec) will be configured automatically. |
| 9 |
Will this be available for ClusterXL? |
Yes, the feature is also supported on ClusterXL environments. |
| 10 |
Can we have the recording later? |
Sure. It will be available on Checkmates |
| 11 |
Is VPN Link Selection configured automatically if your main IP is not your external IP? |
No, since we didn't want to change the global configuration of the gateway and affect other VPN connections.
But as you know, the first section of the Link Selection, "IP Selection by the remote peer" is not relevant since the remote side is a third-party device and
it will no fetch our configuration - it will choose our external ip as this is the only IP configure as the external interface of the 'Customer Gateway' AWS object |
| 12 |
Will this also be posted as an SK article? |
It will be posted on CheckMates |
| 13 |
Does checkpoint have any provision for monitoring BGP or integration with monitoring tools |
currently only via Clish, but in the near future, we will introduce a new modern Dynamic Routing manager |
| 14 |
Did this create the VTIs also? |
Yes. The VTIs are created automatically |
| 15 |
Is VPN to AWS TGW supported? |
We are planning to add TGW support as part of the R82 majior release. |
| 16 |
Route redistribution is recommended only for the simplest of requirements. Route maps are infinitely preferred. |
You are right
In this session, we focus on the VPN settings and configuration and show the new capabilities of our automation process |
| 17 |
Will it also automatically create inbound BGP filters? |
yes |
| 18 |
Management must be R82? |
The feature is supported starting from R81.20. So the Management must be R81.20 or higher |
| 19 |
And if one of them is dynamic (i.e., 4G) |
live answered |
| 20 |
What about VPN with 3rd parties who will obviously not provide access to their cloud environment?
Is it possible to manually import the AWS VPN config file to CP management? |
At the moment, we do not have the ability to parse configuration files from any external platform for security reasons.
Also, when working with files, we will not be able to detect changes and keep the tunnel up-to-date. |
| 21 |
What will happen with the VPN if the connectivity to the Data Center objects goes down or if the Data Center objects get deleted? |
The connectivity of the data center doesn't affect the connectivity of the tunnel itself.
The VPN tunnel will remain up as long as the VPN Gateway in the cloud is still up and accessible. |
| 22 |
Are there any limitations on this relating to Maestro setups at all? |
live answered |
| 23 |
If I have a smart console that runs r82, can I use SMB appliances? |
Is it a centrally managed SMB? |
| 24 |
What is the version of this SMS? Can you show the VTIs after they were created automatically? |
The feature is supported in R81.20 and higher. Shay will show them in a moment. |
| 25 |
can you use ecmp on bgp configuration? |
Yes, you can! |
| 26 |
Will this work with an Azure vWAN hub VNG or just standalone? |
VPN Gateway in vWAN is supported as well. |
| 27 |
Does gcp use public IPs for creating the VPN connection? |
Yes |
| 28 |
Can BGP establish an md5 secret key in this scenario? |
No. Currently, this is not supported by the cloud vendors for the VPN gateways. |
| 29 |
Is BGP a requirement for this to work? Would static routing also work with the same method? |
Currently, only Route-Based VPN is supported with our new feature, as this is the most common use case when working with cloud vendors.
A note, even with static-routing, the 2 sides should have VTIs as well. |
| 30 |
Can we use static routing instead of BGP? |
Currently, only Route-Based VPN is supported. However, you can manually add a static route via the VTI instead of using the BGP configuration. |
| 31 |
Can the VTI names be edited to be more descriptive? |
Yes, but it's not recommended. |
| 32 |
Why not Star Community? |
You can use the feature on the Star community |
| 33 |
who will fetch all these encryption-related parameters from the cloud service: smart console or mgmt server? is it possible via proxy? |
mgmt server, yes, proxy is supported |
| 34 |
Is it going to be integrated into the Terraform provider and the API collection as of the R82 release? |
We have no plans to integrate the feature into Terraform for now. |
| 35 |
in the case of a cluster, will VTIs also be created on the members and on the cluster object? What happens with the /30 range provided by the cloud "wizard"? |
our feature will create 2 vti member ips for each member and will create one "VIP" vti that, as you mention - will be the one provided by the AWS side |
| 36 |
let's say that on-prem and AWS have the same internal networks; how would you configure that? (NAT?) |
Generally, this is not a recommended setup for VPN environments due to possible spoofing and routing issues and, therefore, should be avoided. |
| 37 |
Thanks. Also, I just joined 5 minutes ago. Does this support Azure as well? |
Yes. AWS, Azure, and GCP are supported for now |
| 38 |
amazing job you did creating this fetch from the cloud datacenter object and creating the VPN! Hands clapping! |
Thanks |
| 39 |
what about DAIP gateway |
It's not supported on the cloud side and, therefore, not supported with this feature. |
| 40 |
Maybe not directly related to this feature, but i’ve noticed an option to configure “link selection” per VPN Community. Is this coming in R82? |
yes, this great feature will be introduced in R82 GA. |
| 41 |
In some documentation, Checkpoint recommends using the start community for route-based VPN. What's the big difference between them? |
In Star community, you can utilize the "Center" and "Satellite" roles to control how the VPN traffic is routed in that community. |
| 42 |
What is the maximum number of VTI interfaces supported in R81.20? |
The "Tunnel ID" field in the VTI configuration can be any integer number between 1-32767. In most Chcekpoint's Appliances, the maximum number of interfaces is 1024. |
| 43 |
is this available for Quantum Spark, and if so, is it possible to configure it when the Firewall is locally managed? |
Currently, the feature is not supported on SMB. |
| 44 |
Can I get a recording of this session, please? |
Sure. it will be posted on CheckMates |
| 45 |
Is it only support at R81.20? If yes, there is any chance for other versions? |
It's supported starting from MGMT R81.20 but for all GW running R80.40 and above. We have no plans to support previous versions for now. |
| 46 |
Do these tunnel configurations support dual-stack IPV6? |
IPv6 is currently not supported |
| 47 |
Will it be supported in R82? |
Yes. |
| 48 |
Full functionality on VSX |
Yes. |
| 49 |
I might have missed this, but is GCP Cloudguard MiG supported? |
Currently not. |
| 50 |
Recently, we had a lot of difficulties implementing the VPN between CP r81.20 with cisco ASA; even with case support from CP and hours of tshoot the tunnel didn't work, and we were forced to remove CP from the network and reinstall the old ASA to maintain VPN with another functional ASA, have you improved compatibility with other manufacturers, such as Cisco? |
The main goal of the feature is to provide a better user experience when connecting your on-prem to the public cloud by automating the configuration process based on the configuration that resides on the cloud side. |
| 51 |
Is there support for dynamic DNS? |
No, since Dynamic IP is not supported when connecting to the public cloud. |
| 52 |
Does R82 support pfs group 21? i know AWS VPN currently supports it
how does the automation deal with PH1/PH2 unsupported encryption parameters? |
yes, we will send a log |
| 53 |
Can you see any issue supporting this to a CloudGuard Azure VWAN environment? |
VPN Gateway in vWAN is supported as well. |
| 54 |
Will Oracle Cloud (OCI) be supported in a similar fashion in the future? |
Currently, we have no plans to support Oracle Cloud. |
| 55 |
Any thoughts on support for multiple sites? 2 on-prem locations, 2 cloud regions? |
yes, connecting our on-prem to 2 different cloud regions is supported and will be created automatically when the feature is running |
| 56 |
Can traffic leaving and entering the VPN at Azure be forced to route through a CloudGuard gateway to control what traffic uses the VPN? |
Yes but this is a different CloudGuard solution. |
| 57 |
Could this VPN have 2 Azure targets, say UK South and UK West, but prioritize UK South and only use UK West if UK South goes down or is not accessible? |
Yes, you just need to set up the VPN tunnels as Primary-Backup on the Azure side, and we will act accordingly. The Security Gateway will pass traffic to the active Azure endpoint based on the BGP decision. |
| 58 |
In R82, if the VPN goes down, will the Check Point try to update? |
If the configuration was updated on the cloud side, the changes will be fetched and applied automatically on the CheckPoint Gateway |
| 59 |
This looks to be for connecting my gateway to my own cloud. Do you see this process being used for S2S for third-party VPN connections to business partners? |
Currently, we have no plans to support automatic configuration against other business partners. |
| 60 |
Does the BGP as number matter? What if we have our own corporate BGP AS Number |
BGP settings are configured by you in the cloud, and therefore, you can use your own AS number. |
| 61 |
Are the routes for both tunnels equal cost, or does it create a local preference? |
They are equal, and they are both connected. The remote side will choose through which of them it will advertise the BGP routes, and we will react accordingly.
Anyway, traffic can be asymmetric if it is returned through the second tunnel, and it is also supported. |
| 62 |
In what version is the automation of creating VTI and other settings supported? |
Starting from R81.20 |
| 63 |
How does the API create interfaces in the Cluster environment?
Normally, AWS provides only 1 IP from network 169 (APIPA) to the customer to create the route-based VPN,
and when the environment is in a cluster, the customer needs to create the other 2 IPs manually for network 169 (APIPA). |
It was a challenging task, but we managed to automate this step as well!
our feature will create 2 vti member ips for each member and will create one "VIP" vti that, as you mention - will be the one provided by the AWS side |
| 64 |
Is this supported on vsx cluster as well? |
Yes, it is supported |
| 65 |
What gateway version os supported |
Any gateway version |
| 66 |
when you manually configure BGP, all learned routes are restricted as well. Route maps or inbound-route filters need to be created to accept the learned routes.
I'm just wondering how the routes get learned right away. |
At the moment, the route map should still be configured manually for security reasons. In the next release, we will have the ability to manage the dynamic routes in a new modern UI component. |
| 67 |
Does the procedure automatically create the vpnt interfaces on Gaia OS? |
Yes |
| 68 |
Do we use VTI? Is the VTI configured directly on the gateway via API? Cluster is supported? |
Yes, VTIs are automatically created.
Cluster is supported. |
| 69 |
Is the inbound route filter wide open, though? I think it's restricted by default (for learning the CSP routes) |
it is restricted to a specific remote ASN |
| 70 |
Is bgp required for this feature? Will it not work with static routes? |
At this milestone, we are fetching the BGP configuration as part of the process, as this is the default and the best practice method when working with most of the cloud vendors.
In the near future, we will have the ability to work with static routes via VTIs |
| 71 |
In Azure, is there any restriction on the IKE/IPsec policy if the customer is using custom? Or do we need to stay with Default? |
You can use custom settings |
| 72 |
How much more work is involved if x.509 certs are used instead of PSK? |
Certificated-based authentication is not supported at this stage. |
