n These procedures assume that you are already logged into the Check Point Smart Dashboard interface. The configuration tasks in this topic use version R70.1. If you are using another version, options might vary.
n NAT-T cannot be enabled on the router/firewall device. The device must have an external routeable IP address.
n This example procedures demonstrates the Check Point device in Traditional mode. Blue Coat performed limited testing in Simplified mode. You can elect to follow that procedure, which is provided inthis KB article.
n Do not send Auth Connector traffic to the Web Security Service.
Prerequisite—Verify that the device is ready for configuration.
This procedure assumes that the Check Point device is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.
STEP 1—Enable traditional mode to all new firewall policies.
1. Select Policy > Global Properties. The device displays the Global Properties dialog.
a. Select VPN.
b. Select Traditional mode to all new Firewall Policies.
2. Click OK.
STEP 2—Create a new policy package.
You cannot convert any existing simplified policy to traditional; therefore, you must manually copy the rules.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
1. Select File > New. The device displays the New Policy Package dialog.
a. Name the new package (spaces are not valid in the name). For example, Blue Coat Threat Pulse.
b. Select Firewall and Address Translation.
c. (Optional) Select QoS (and its mode) and/or Desktop Securityonlyif the previously configured simplified policy have these options enabled.
2. Click OK.
STEP 3—Define a Network object for internal IP address ranges.
1. Select the Network Objects panel.
2. Right-click the Networks menu item and select Network. The device displays the Network Properties dialog.
a. Name the object. For example, InternalNetwork1.
b. Enter the Network Address and Netmask for this internal network.
3. Click OK.
4. Repeat steps2,2a, and2bfor each additional existing internal network.
STEP 4—Define an Address Range as the entire Internet.
1. Right-click the Address Ranges menu item and select Address Ranges > Address Range. The device displays the Address Range Properties dialog.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Name the object. For example, TheInternet.
b. For the First IP address option, enter 0.0.0.0.
c. For the Last IP address option, enter 255.255.255.255.
2. Click OK.
STEP 5—For the Web Security Service VPN domain, create a Simple Group that includes the Internet range.
1. Right-click Groups and select Groups > Simple Group. The device displays the Group Properties dialog.
a. Name the group. For example, ThreatPulseVPN.
b. From the Not in Group list, select the Internet address object that you created inSTEP 4.
c. Click Move.
2. Click OK.
STEP 6—Create a network node for the Auth Connector, which allows for user names in reports and policy cre-ation.
1. Right-click Nodes and select Node > Host. The device displays the Host Node dialog.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Name the node. For example, BlueCoatAuthAgent.
b. Enter the IP Address of the domain controller where the Auth Connector application installed.
2. Click OK.
STEP 7—Create a remote gateway for the Web Security Service.
1. Right-click Interoperable Devices and select Interoperable Device.
a. Name the gateway. For example, WestCoastOffice1. Keep in mind that you will be creating multiple gateways. Optional: For easy identification in the menu, select a Color for each location.
b. Enter the first Web Security Service IP Address (refer to yourplanning sheet).
2. Remaining in the Interoperable Device dialog, set the Topology to the domain configured inSTEP 5.
a. Select Topology.
b. Select Manually defined and select the Web Security Service VPN domain that you created inSTEP 5.
3. Clear the DES encryption key and add other Internet Key Exchanges (IKEs). The Web Security Service supports many combinations. See"Reference: IKE Encryption and Authentication Algorithms" on page 30.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Select VPN.
b. Click Traditional mode configuration. The device displays the Traditional Mode IKE Properties dialog.
c. Clear the DES key (which is enabled by default).
d. Select supported IKEs (such as 3DES, AES128, or AES256).
e. Select a hash.
f. Select the Pre-Shared Secret option.
g. Click Advanced. The device displays the Traditional Mode Advanced IKE Properties dialog.
h. Select supported Diffie-Hellman groups.
i. Set the Renegotiate IPsec (IKE Phase 2) Security Associations option to 120 seconds.
j. Click OK in each dialog.
4. Assign one VPN tunnel per gateway pair.
a. Select VPN > VPN Advanced.
b. Select Custom Settings.
c. Select One VPN tunnel per Gateway pair.
5. Repeat this master step (STEP 7) for each Web Security Service IP address listed in your planning sheet.
STEP 8—Create the Check Point gateway.
1. Right-click Check Point and select Security Gateway. The device displays the Check Point Gateway dialog.
This configuration task uses the Classic Mode.
2. On the General Properties page, specify the IPsec VPN.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. On the Network Security tab, select IPSec VPN. This displays additional items in the left-side menu.
b. Name the gateway. For example, WebGateway4ThreatPulse.
c. Enter the internal network-side gateway IP Address.
3. Assign the internal network created in theSTEP 3to the gateway.
a. Select Topology.
b. Select Manually defined and from the drop-down list select the internal network object created inSTEP 3.
4. Clear the DES encryption key and select other supported IKEs; specify the pre-shared key (secret).
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Select VPN.
b. Click Traditional mode configuration. The device displays the Traditional Mode IKE Properties dialog.
c. Clear the DES key (which is enabled by default).
d. Select supported IKEs (3DES, AES128, or AES256).
e. Select a hash: MD5/SHA1
f. Select Pre-Shared Secret and click Edit Secrets. The Shared Secret dialog displays.
g. Select the remote gateway configured inSTEP 7and click Edit.
h. In the Enter secret field, enter the pre-shared key used to by the Web Security Service to authenticate the tunnel and click Set. Refer to your planning sheet.
i. Click OK to close the Shared Secret dialog.
j. Remaining on the IKE Properties dialog, click Advanced. The device displays the Traditional Mode Advanced IKE Properties dialog.
k. Select supported Diffie-Hellman groups. The service supports Group 2 and Group 5.
l. Click OK in both dialogs to close them.
5. Assign one VPN tunnel per gateway pair and disable NAT traversal.
a. Select VPN > VPN Advanced.
b. Select Custom Settings and One VPN tunnel per Gateway pair.
c. Clear the Support NAT traversal option.
STEP 9—Define firewall policy that excludes Auth Connector traffic and directs web traffic to the Web Security Ser-vice (and excludes all other traffic).
1. With the Firewall tab selected, click Add Rule at the Top.
2. Prevent Auth Connector from routing to the Web Security Service as web traffic.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Source: Add the Auth Connector agent object created inSTEP 6.
b. Service: Specify HTTPS.
c. Action: Accept the connection.
3. Add a second rule that redirects web traffic (HTTP/HTTPS) to the Web Security Service over an encrypted connection.
a. Source: Add the internal network object created inSTEP 3.
b. Service: Specify HTTP and HTTPS.
c. Right-click Action and select Encrypt; right-click Encrypt and select Edit Properties. The Encryption Properties dialog displays.
d. Click Edit. The IKE Phase 2 Properties dialog displays.
e. Select the same IKE properties that you did inSTEPS 7-3and8-4.
f. The Protected Networks: Remote Network setting depends on the Access Method:
n For stand-alone IPsec deployments, select any.
n For trans-proxy deployments, enter the Blue Coat Web Security Service explicit proxy IP address: 199.19.250.205.
g. Select the User Perfect Forward Secrecy option and select a supported Diffie-Hellman Group (2 or 5).
h. Click OK in each dialog to close.
4. Add a third rule with an Action object that ACCEPTS everything else.
5. At this point, you can re-add any previous Firewall rules that you had before reverting to Traditional Mode policy.
STEP 10—Define policy rules to NAT outgoing Auth Connector traffic and everything else except web traffic so that Web Security Service sees real user addresses.
1. Select the NAT tab.
2. Add a rule to NAT outgoing Auth Connector HTTPS traffic.
Firewall/VPN Access Method Guide: Select a Firewall Device (PSK)
a. Original Packet Source: Add the Auth Connector agent created inSTEP 6.
b. Original Packet Service: Specify HTTPS.
c. Translated Packet Source: Add the Check Point gateway object that you created inSTEP 8.
d. Right-click the Translated Packet Source object and select NAT Method. In the Choose Translation Method dialog, select Hide. Click OK.
3. Add a second and third rule to not NAT Web traffic (HTTP and HTTPS) from the internal network.
a. Original Packet Source (both rules): Add the internal network object that you created inSTEP 3.
b. Original Packet Service: In one rule add HTTP and the other add HTTPS.
4. Add a fourth rule that NATs everything else from the internal network.
a. Original Packet Source: Add the internal network object that you created inSTEP 3.
b. Translated Packet Source: Add the Check Point gateway object that you created inSTEP 8.
c. Right-click the Translated Packet Source object and select NAT Method. In the Choose Translation Method dialog, select Hide. Click OK.
5. At this point, you can re-add any previous NAT rules that you had before reverting to Traditional Mode policy.