# |
Question |
Answer |
1 |
What is the range of the 'set AS', and should it be different for each site connection to the same cloud tenant? |
AS range for private use is 64512–65534 No - the same AS will be set for all connections with the same AWS Virtual Private Gateway |
2 |
How will you handle dual ISP for on-prem? |
AWS/Azure doesn't allow configuring the 'Customer Gateway' with multiple external interfaces. To achieve redundancy in the Checkpoint Side you can configure them in the AWS console as two seperate objects of 'Customer Gateway'. |
3 |
Do we need to open or allow any communication port on both the on-prem or AWS side to allow the communication? |
You will need to connect to your account on the cloud via the CloudGuard controller. (HTTPS) (By creating the datacenter object on the Management server ). |
4 |
Is Azure vWan VPN GW supported? |
Azure VWAN also supported |
5 |
What is the default type of IKE version - 1 or 2, from the AWS site? |
IKEv1 |
6 |
Is a cluster with dual ISP supported? |
The same solution for a cluster with multiple public IPs - the AWS side is familiar only with the external VIPs |
7 |
What about ports or communication to allow e.g.: ike ipsec bgp at on-prm or cloud security on aWS? |
Once you enable the VPN blade on the Security Gateway object, all the required VPN-related rules (IKE/IPsec) will be configured automatically. |
8 |
Will this be available for ClusterXL? |
Yes, the feature is also supported on ClusterXL environments. |
9 |
Is VPN Link Selection configured automatically if your primary IP is not your external IP? |
No, since we didn't want to change the gateway's global configuration and affect other VPN connections. But as you know, the first section of the Link Selection, "IP Selection by the remote peer," is not relevant since the remote side is a third-party device, and it will not fetch our configuration - it will choose our external IP as this is the only IP configure as the external interface of the 'Customer Gateway' AWS object |
10 |
Does checkpoint have any provision for monitoring BGP or integration with monitoring tools |
currently only via Clish, but in the near future, we will introduce a new modern Dynamic Routing manager |
11 |
Did this create the VTIs also? |
Yes. The VTIs are created automatically |
12 |
Is VPN to AWS TGW supported? |
We are working on it and will release it soon |
13 |
Route redistribution is recommended only for the simplest of requirements. Route maps are infinitely preferred. |
You are right In this session, we focus on the VPN settings and configuration and show the new capabilities of our automation process |
14 |
Will it also automatically create inbound BGP filters? |
yes |
15 |
Does the check point Management must be R82? |
The feature is supported starting from R81.20. So the Management must be R81.20 or higher |
16 |
What about VPN with 3rd parties who will obviously not provide access to their cloud environment? Is it possible to manually import the AWS VPN config file to CP management? |
At the moment, we are not having the ability to parse configuration files from any external platform due to security reasons. Also, when working with files, we cannot detect chages and keep the tunnel up-to-date. |
17 |
What will happen with the VPN if the connectivity to the Data Center objects goes down or if the Data Center objects get deleted? |
The connectivity of the Datacenter doesn't affect the connectivity of the tunnel itself. The VPN tunnel will remain up if the VPN Gateway in the cloud is still up and accessible. |
18 |
Do you use ecmp on BGP configuration? |
Yes, you can ! |
19 |
Will this work with an Azure vWAN hub VNG or just standalone? |
VPN Gateway in vWAN is supported as well. |
20 |
Does GCP use public IPs for creating the VPN connection? |
Yes |
21 |
Is BGP a requirement for this to work? Would static routing also work with the same method? |
Currenly, only Route-Based VPN is supported with our new feature as this is the most common use case when working with cloud vendors. A note, even with satic-routing, the 2 sides should have VTIs as well. |
22 |
Can we use static routing instead of BGP? |
currently, only Route-Based VPN is supported. But you can manually add static-route via the VTI instead of using the BGP configuration. |
23 |
Why not Star Community? |
You can use the feature on the Star community |
24 |
Who will fetch all these encryption-related parameters from the cloud service: smartconsole or mgmt server? Is it possible via proxy? |
Mgmt server, yes, proxy is supported |
25 |
Do these tunnel configurations support dual-stack IPV6? |
IPv6 is currently not supported |
26 |
Full functionality on VSX ? |
Yes |
27 |
I might have missed this, but is GCP Cloudguard MiG supported? |
MIG/VMSS/ScaleSet do not support S2S VPN |
28 |
Does R82 support pfs group 21? I know AWS VPN currently supports it . how does the automation deal with PH1/PH2 unsupported encryption parameters? |
Yes, we will send a log |
29 |
Are the routes for both tunnels equal in cost, or does it create a local preference? |
They are equal, and they are both connected. The remote side will choose through which of them it will advertise the BGP routes, and we will react accordingly. Anyway, traffic can be asymmetric in case it will be retured through the second tunnel and it also supported. |
30 |
How does the API create interfaces in the Cluster environment? Normally AWS provides only 1 IP from network 169 (APIPA) to the customer to create the route-based VPN, and when the environment is in a cluster, the customer needs to create the other 2 IPs manually for network 169 (APIPA). |
It was a chellange task but we manged to automate this step as well! our feature will create 2 vti member ips for each member and will create one "VIP" vti that as you mention - will be the one provided by AWS side |
31 |
Is this supported on vsx cluster as well? |
Yes it is |
32 |
What Check Point gateway versions are supported |
Any gateway version |
33 |
Does the procedure automatically create the vpnt interfaces on Gaia OS? |
Yes |
34 |
Do we use VTI? Are the VTI configured directly on the gateway via API? Cluster is supported? |
Yes, VTIs are automatically created. Cluster is supported. |
35 |
Is the inbound route filter wide open, though? I think it's restricted by default (for learning the CSP routes) |
It's restricted for a speficie remote asn |
36 |
Is BGP required for this feature? will it not work with static routes? |
At this milestone, we are fetching the BGP configuraion as part of the process as this is the dafault and the best practice methods when working with most of the cloud vendors. In the near future we will have the ability to work with static routs via VTIs |
37 |
in Azure, any restriction on the IKE/IPsec policy if the customer is using custom? or need to stay with Default? |
You can use custom settings |
38 |
How much more work is involved if x.509 certs are used instead of PSK? |
Certificated-based authentication does not supported at this stage. |