This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
Tuesday

Harmony SASE lab doc

Hey guys,

I attached lab doc that my colleague and I are working on for a customer for Harmony SASE. Its not 100% complete yet, since we need to do more BGP testing, but I hope it can help others.

 

Andy

Preview file
676 KB
4 Replies
the_rock
Legend
Legend
Tuesday

Something important to consider...if you are doing BGP through the tunnel, here is the key. So router id can be say 169.254.241.1 (like our lab) and then you create 2 peers say with IP 169.254.240.254 and 169.254.241.254, as it would let you use it as such for redundant tunnels. I attached what I mean.

Andy

Preview file
59 KB
Preview file
64 KB
the_rock
Legend
Legend
yesterday

Also, overlay can be used instead of loopback, so say if router ID is 169.254.241.1, peers can be say 169.254.100.254 and 200.254, that works fine. For some reason, though tunnels are up, on CP side they dont show as permanent, just regular, so we will look into it.

Andy

Preview file
50 KB
0 Kudos
the_rock
Legend
Legend
yesterday

Hey guys,

Wanted to update with something else my colleague and I discovered. So, I will give an example we used and this is with numbered vti's, since we did not want to spend too much time with troubleshooting why unnumbered did not work, plus we are not even sure its supported 🙂

Example for redundant tunnels (you need advanced license to do this, since basic one only allows for single tunnels for 1 POP, not 2 or more). Btw, since sd-wan is not supported with this yet, then load balancing the traffic among the multiple ISP links is not really an option, but from what we tested, all else seems to work fine.

loopback interface:

router ID 169.254.241.1

local as 65000

remote as 65001

peer 1 -> 169.254.100.254

peer 2 -> 169.254.200.254

fw1:

vti 1 -> 169.254.100.2

vt1 2 -> 169.254.200.2

vip 169.254.100.1 and 169.254.200.1

fw2:

vti 1 -> 169.254.100.3

vti2 -> 169.254.200.3

vip 169.254.100.1 and 200.1 (same as fw1)

overlay ID:

same settings, except, in sase portal, you would use for tunnel 1 sase IP as 169.254.100.254 and local ip as 169.254.100.1 (200.254 and 200.1 for tunnel 2)

If using loopback interface method, then you would use say 169.254.241.1 and say .254 for sase for tunnel 1 and then say 240.1 and 240.354 for tunnel 2 (like what I had in the document)

Now, here is the catch. If using OVERLAY id method, tunnels will show as PERMANENT from sase, but not from Check Point, which is not a big deal, as BGP is exchanged and its constantly checking the loopback ip anyway. Plus, they are set as permanent tunnels in community, just show as regular in sv monitor. if you use loopback interface method, they show as permanent.

Difference is, if using overlay ID, then tunnel is terminated on tunnel interface, rather than loopback one. 

This is somewhat similar for Forti SASE (Fortinet solution), Prisma (PAN sase) and Aruba Axis is definitely more simple setup, as it uses connectors method. I assume its same for Cisco Connect, but since I had never seen it, cant really say 🙂

If anything else comes to mind and we end up testing, will update.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
3 hours ago

Another quick update...failover works well, we also tested "downing" both ISPs (one at a time of course : - ) and that went fine as well. P81 agent was able to access all it was supposed to.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events