4. NGFW for small businesses. VPN
Continuing our series of articles on NGFW for small businesses, let me remind you that we are considering a new model range of the 1500 series. In part 1 of the series, I mentioned one of the most useful options when buying an SMB device – the delivery of gateways with built-in Mobile Access licenses (from 100 to 200 users, depending on the model). In this article, we’ll walk through VPN configuration for 1500 series gateways that come with Gaia 80.20 Embedded preinstalled. Here’s a quick summary:
- VPN capabilities for SMB.
- Organization of Remote Access for a small office.
- Available clients to connect.
1. VPN capabilities for SMB
In order to prepare today’s material, the official admin guide version R80.20.05 (up-to-date at the time of the article release). Accordingly, in the VPN part with Gaia 80.20 Embedded there is support for:
- Site-To-Site. Creation of VPN tunnels between your offices, where users can work as in the same “local” network.
- Remote Access. Remote connection to the resources of your office using end devices of users (PCs, mobile phones, etc.). Additionally, there is an SSL Network Extender, it allows you to publish individual applications and run them using the Java Applet, connecting via SSL. Note: not to be confused with Mobile Access Portal (no support on Gaia Embedded).
Additionally I highly recommend the author’s course TS Solution – Check Point Remote Access VPN it reveals the VPN checkpoint technologies, touches on licensing issues and contains detailed instructions for setting up.
2. Remote Access for small office
We will start organizing a remote connection to your office:
- In order for users to build a VPN tunnel with a gateway, you need to have a public IP address. If you have already gone through the initial setup (article 2 from the cycle), then as a rule – External Link is already active. Information can be found by going to the Gaia Portal: Device → Network → Internet
In the event that your company uses a dynamic public IP address, then you can set Dynamic DNS. Go to Device → DDNS & Device Access
Currently there is support from two providers: DynDns and no-ip.com. To activate the option, you need to enter your credentials (login, password).
- Next, let’s create a user account, it will come in handy for testing the settings: VPN → Remote Access → Remote Access Users
In the group (for example: remoteaccess), create a user by following the instructions in the screenshot. Setting up an account is standard, we set a login and password, additionally enable the Remote Access permissions option.
If you have applied the settings successfully, then two objects should appear: local user, local group of users.
- The next step is to go to VPN → Remote Access → Blade Control. Make sure you have the blade enabled and allow traffic from remote users.
- * Above was the minimum set of steps to set up Remote Access. But before we test the connection, let’s explore additional settings by going to the tab VPN → Remote Access → Advanced
Based on the current settings, we can see that remote users, when connected, will receive an IP address from the 172.16.11.0/24 network, thanks to the Office Mode option. This is enough with a margin for using 200 concurrent licenses (indicated for 1590 NGFW Check Point).
Option “Route Internet traffic from connected clients through this gateway” is optional and is responsible for routing all traffic from the remote user through the gateway (including Internet connections). This allows you to inspect user traffic and protect his workstation from various threats and malware.
- * Work with access policies for Remote Access
After we configured Remote Access, an automatic access rule was created at the Firewall level, to view it you need to go to the tab: Access Policy → Firewall → Policy
In this case, remote users included in the previously created group will be able to access all internal resources of the company, I note that the rule is located in the general section “Incoming, Internal and VPN traffic”… In order to allow traffic of VPN users to the Internet, you will need to create a separate rule in the general section “Outgoing access to the Internet”.
Finally, it remains for us to make sure that the user can successfully create a VPN tunnel to our NGFW gateway and gain access to the company’s internal resources. To do this, you need to install the VPN client on the tested host, the help is attached link For loading. After installation, you will need to follow the standard procedure for adding a new site (the public IP address of your gateway is indicated). For convenience, the process is presented in the form of GIF
When the connection is already established, check the received IP address on the host machine using the command in the CMD: ipconfig
We made sure that the virtual network adapter received an IP address from the Office Mode of our NGFW, the packets are sent successfully. To complete, we can go to the Gaia Portal: VPN → Remote Access → Connected Remote Users
The user “ntuser” is displayed as connected, check the logging of events by going to Logs & Monitoring → Security Logs
The connection is logged, the source from is the IP address: 172.16.10.1 is the address received by our user through the Office Mode.
3. Supported Clients for Remote Access
After we have reviewed the procedure for setting up a remote connection to your office using the NGFW Check Point of the SMB family, I would like to write about customer support for various devices:
- Endpoint VPN for Windows / Mac OS
- Mobile Client (Android / IOS)
- L2TP Native Client (Check Point claims support for Microsoft’s native VPN app).
The variety of supported operating systems and devices will allow you to use your license that comes with NGFW to the fullest. In order to configure a separate device there is a convenient option “How to connect”
It automatically generates steps according to your settings, which will allow administrators to install new clients without any problems.
Output: Summarizing this article, we examined the VPN capabilities for Check Point NGFW SMB family. Next, we described the steps for configuring Remote Access, in the case of a remote connection of users to the office, after we studied the monitoring tools. At the end of the article, we talked about the available clients and connection options for Remote Access. Thus, your branch office will be able to ensure the continuity and safety of employees using VPN technologies, despite various external threats and factors.
A large selection of materials on Check Point from TS Solution. Stay tuned (Telegram, Facebook, VK, TS Solution Blog, Yandex Zen).