29 June 2022

HARMONY CONNECT
FOR SILVER PEAK

Integration Guide
[Classification: Restricted]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)
(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.

TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
 Important Information

Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection against
new and evolving attacks.

Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.

Latest Version of this Document in English

Open the latest version of this document in a Web browser.
Download the latest version of this document in PDF format.

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.

Revision History

Date Description

29 June 2022 Improved structure of the document and excluded GRE configurations.

28 April 2019 First release of this document

Harmony Connect for Silver Peak Integration Guide   |   3

 Table of Contents

Table of Contents
Introduction 5
Silver Peak 5
Check Point Harmony Connect 5
About this Guide 5
Getting Started 7
Prerequisite 7
Integrating Silver Peak with Check Point Harmony Connect 7
Version 8.8.3 and higher 7
Version earlier than 8.8.3 7
High-level Procedure 7
Silver Peak Integration with Orchestrator Version 8.8.3 and Higher 8
Configuring a Business Intent Overlay Policy (BIO) 11
Silver Peak Integration with Orchestrator Versions earlier than 8.8.3 13
Adding a New Site in Harmony Connect 13
Configuring the SD-WAN Device 17
Creating a Deployment Profile 18
Configuring the BIO Policy 19
Configuring the Passthrough Tunnels for Silver Peak and Check Point 21
Monitoring the Traffic 25

Harmony Connect for Silver Peak Integration Guide   |   4

 Introduction

Introduction
Silver Peak
Silver Peak is an open, programmable and scalable cloud scale architecture. With Silver Peak
EdgeConnect SD-WAN, you can quickly connect data centers, branches, campuses, and colocation
facilities to cloud applications and improve network speed, security, and efficiency.
EdgeConnect physical, virtual or cloud appliances support industry standard hypervisors. You can purchase
them through subscription-based licensing. The platform is centrally managed by Unity Orchestrator.

Check Point Harmony Connect

Check Point Harmony Connect is a cloud security platform that provides latest threat prevention and access
control for branch offices. You can connect the routing equipment or SD-WAN device to Harmony Connect
directly.

For more information, see the Harmony Connect Administration Guide.

About this Guide

This guide provides instructions to:

Harmony Connect for Silver Peak Integration Guide   |   5

 Introduction

n Integrate Silver Peak with Check Point.

n Protect your branch offices through IPsec tunnels to Check Point Harmony Connect.
n Configure IPsec tunnels and service chain traffic from a Silver Peak SD-WAN device to Check Point
Harmony Connect.

Note - To configure a GRE tunnel between Silver Peak and Harmony Connect,
contact Check Point Support.

n Monitor cybersecurity events.

Harmony Connect for Silver Peak Integration Guide   |   6

 Introduction

Getting Started
Prerequisite
n Infinity Portal account.
n Silver Peak account.

Integrating Silver Peak with Check Point

Harmony Connect
With a Silver Peak Orchestrator, you can route the outgoing traffic through IPsec tunnels from a Silver Peak
EdgeConnect device to the Check PointHarmony Connect security service.
The configuration of the Silver Peak branch device through IPsec tunnels depend on the version of Silver
Peak Orchestrator.

Version 8.8.3 and higher

n You can use Silver Peak Orchestrator, to automatically integrate with the branch devices, without
configuring in Harmony Connect. You must generate API key in your Infinity Portal account. For more
information, see "Silver Peak Integration with Orchestrator Version 8.8.3 and Higher" on the next
page.
Note - This procedure create a new site automatically in Harmony Connect. You cannot change the location
of the site.

Version earlier than 8.8.3

n You must create a site in your Check Point Infinity Portal to configure branch devices in Silver Peak
Orchestrator. For more information, see "Silver Peak Integration with Orchestrator Versions earlier
than 8.8.3" on page 13.

High-level Procedure
1. "Silver Peak Integration with Orchestrator Version 8.8.3 and Higher" on the next page or "Silver Peak
Integration with Orchestrator Versions earlier than 8.8.3" on page 13
2. "Configuring the Passthrough Tunnels for Silver Peak and Check Point" on page 21
3. "Monitoring the Traffic" on page 25
4. Monitoring Cyber Security

Harmony Connect for Silver Peak Integration Guide   |   7

 Introduction

Silver Peak Integration with

Orchestrator Version 8.8.3 and
Higher
Note - This procedure create a new site automatically in Harmony Connect. You cannot change the location
of the site.
To generate an API Key in the Check Point Infinity Portal:

1. Log in to the Infinity Portal.

2. Navigate to Global Settings > API Keys.
3. Click New.
4. From the Service list, select Harmony Connect.
5. From the Roles list, select Admin.
6. Click Create.
7. Copy and save the Client ID and the API Access Key.

To apply the Check Point API Key in Silver Peak orchestrator:

1. In the Silver Peak Orchestrator, click Configuration > Cloud Services > Check Point
CloudGuard Connect.

2. Click Subscription.
The Subscription window appears.
3. Paste the Client ID and the API Access Key generated in the Infinity Portal.

Harmony Connect for Silver Peak Integration Guide   |   8

 Introduction

4. Click Save.

To configure interface labels:

1. In the Silver Peak Peak Orchestrator, click Check Point CloudGuard Connect > Interface Labels.
Silver Peak uses labels to create a consistent global policy across various edge devices. Any edge
device with your selected labels receives the Check Point security automatically after the
integration.

2. Select the order for the interface labels.

3. Click Save.

Harmony Connect for Silver Peak Integration Guide   |   9

 Introduction

To apply the protection policy labels to devices:

1. On the left pane, right-click the applicable device and select Deployment.

2. In the Deployment window, select a Check Point interface label.

Harmony Connect for Silver Peak Integration Guide   |   10

 Introduction

Configuring a Business Intent Overlay Policy

(BIO)
To configure BIO policy for traffic:

1. In the Silver Peak Orchestrator, click Configuration > Overlays > Business Intent Overlays.

2. Double-click the Check Point security policy rule that you want to apply to the traffic.
The Overlay Configuration window appears.
3. Click Breakout Traffic to Internet & Cloud Services.
4. From the Available Policies list, drag-and-drop the Check Point CloudGuard policy to Preferred
Policy Order. This policy is available only if you have the Check Point subscription.
5. Click OK.

Harmony Connect for Silver Peak Integration Guide   |   11

 Introduction

6. (Optional) Apply the Check Point protection to each applicable device. Only the labeled edge
devices traffic can pass through the Check Point.
7. Click Save and Apply Changes to Overlays.

To test your configuration:

1. Log in to the Infinity Portal.

2. Navigate to Harmony Connect and click Assets > Branches & Data Centers.
Harmony Connect creates the site and establishes a VPN tunnel automatically.
When the site is created, the site status is Waiting for traffic and when you generate traffic between the
Silver Peak SD-WAN device and Harmony Connect through the VPN tunnel, the status changes to
Active.

You can monitor various attacks prevented by the Harmony Connect cyber-security features. For more
information, see Internet and Network Access Logs.

Harmony Connect for Silver Peak Integration Guide   |   12

 Introduction

Silver Peak Integration with

Orchestrator Versions earlier than
8.8.3
Adding a New Site in Harmony Connect
You can add, manage, and delete the sites in your organization and view all your site locations.
To connect a branch office and manage its security, you have to create a site that represents this branch
office SD-WAN office device, and then route its traffic to the network through Harmony Connect.

Note - Every site on the Sites page represents the device in your branch office that
connects you to the internet.

To add a new site:

1. Log in to the Check Point Infinity Portal and navigate to Harmony Connect > Assets > Branches &
Datacenters.
2. Click Add.
The Add Site window appears.
3. Enter this information in the General screen and then click Next:
a. Name - A name for the site.
b. Comments - Optional description for the site.
c. Branch Office Gateway Type - Select Silver Peak from the list.
d. Number of users (Estimation) - The expected number of users.
4. Enter this information in the Connection Details screen and click Next:
a. External IP Addresses - One or more IP addresses of your branch office gateway.
Notes:
n You can select Dynamic IP Address or Static IP Address.
n If you have more than one external network interface, use Add
another external IP address or Add another Interface Identifier.
Check Point recommends to add all your external IP addresses to
secure all the traffic.

b. Copy and save the Shared Secret.

Harmony Connect for Silver Peak Integration Guide   |   13

 Introduction

c. Select Enable Tunnel Status.

5. In the Internal Sub-networks screen, enter the subnet addresses of your internal networks in the
branch office site.
Check Point Harmony Connect applies its cybersecurity features on all traffic coming from these
network addresses.

Harmony Connect for Silver Peak Integration Guide   |   14

 Introduction

6. Click Next.
7. In the Location screen, enter this information:
a. Site Address - (Optional) Physical location of the branch office. It shows your site on the world
map.
b. Location of the cloud service - Select a closer location for the cloud service.
Best Practice - Harmony Connect inspects traffic from your branch office
to internet through a cloud service that is closest to your site location. For
some regions, such as South America or the Middle East, the location for
the cloud service must have a strong cross-country internet link.

Harmony Connect for Silver Peak Integration Guide   |   15

 Introduction

8. Click Next.
9. Confirm Site Creation and review site details.
10. Click Finish and Create Site.

Note - It takes Check Point several minutes to create the new site.

When the new site is ready, it appears in the list of sites, with Generating Site as status.
The status changes to Waiting for Traffic when the site is ready.

Harmony Connect for Silver Peak Integration Guide   |   16

 Introduction

Configuring the SD-WAN Device

When you create a branch site in Check PointHarmony Connect, you must configure your branch office to
route the traffic through Harmony Connect.
Check Point creates the back-end architecture to tunnel the traffic from the branch device to the internet.

To configure your branch SD-WAN device:

1. Log in to the Check Point Infinity Portal and navigate to Harmony Connect > Assets > Branches &
Datacenters.
2. Click Configure branch device from your applicable branch device.
The Instructions window appears.
3. Select Generic Router / SD-WAN.
4. Copy the tunnel properties with two tunnel destinations and other parameters.

Harmony Connect for Silver Peak Integration Guide   |   17

 Introduction

5. Click Close.

Creating a Deployment Profile

To configure a deployment profile for the tunnels

1. In the Silver Peak Orchestrator, right-click the applicable device and select Deployment.
The Deployment window appears.
2. Create your LAN and WAN interfaces. For example, lan0, wan0, and wan1.
3. From the FW Mode list, select the applicable firewall.
4. Enter the Bandwidth and Next Hop IP addresses.
5. Click Apply.

Harmony Connect for Silver Peak Integration Guide   |   18

 Introduction

Configuring the BIO Policy

To configure integration labels between Silver Peak and Check Point

Specify labels for traffic that passes through the IPsec tunnels to Check Point.
Check Point protection automatically secures all edge devices with the labels. BIO policies specify how
to handle traffic with particular characteristics within the network.

To configure BIO policy:

1. In the Silver Peak Orchestrator, click Configuration > Overlays >Business Intent Overlay.
The Business Intent Overlay window opens.
2. On the Overlay Configuration window, enter Atom_Test_IPSEC in the Name field.

3. Click Breakout Traffic to Internet & Cloud Services, under Branch Settings, click to edit
Available Policies.
a. In the Service Name field, add a new service object and enter its name (Atom_IPSEC).
b. Click Add.
c. Click Close.
4. In the Breakout Traffic to Internet & Cloud Services window, move the Atom_IPSEC service to
Preferred Policy Order and place it above other policies.
Note - When the Check Point service is on top of the list, all the internet-bound
traffic passes through the Check Point IPsec tunnel. If the IPsec tunnel is
down, the traffic breaks up locally. If this fails, the traffic backhauls with the
overlay.

Harmony Connect for Silver Peak Integration Guide   |   19

 Introduction

5. Click Save.

To apply the BIO policy to the device

1. In the Silver Peak Orchestrator, click Configurations > Overlays > Apply Overlays.
2. In the left pane, select the applicable device.
3. Under Apply Overlays, select Atom_Test_IPSEC as overlay.
4. Click Apply.

Harmony Connect for Silver Peak Integration Guide   |   20

 Introduction

Configuring the Passthrough

Tunnels for Silver Peak and Check
Point
To configure the passthrough tunnels for service chain traffic between Silver Peak and Check
Point

1. In the Silver Peak Orchestrator, click Configuration > Tunnels.

The Tunnels window appears.
2. Click Passthrough > Edit.
3. In the Edit screen, click Passthrough > Add Tunnel.
The Add Passthrough Tunnel window appears.
4. Configure the General parameters:
a. In the Alias field, enter a name for the passthrough tunnel. For example, CP-IPSEC_
Tunnel1.
b. From the Mode, select IPSec.
c. From the Admin, select up.
d. In the Local IP field, enter the IP address of the branch office device.
e. In the Remote IP field, enter the IP address of the Check Point tunnel. See Configuring the
SD-WAN Device.
f. From the NAT list, select none.
g. In the Peer/Service field enter the name of the BIO service that you created (Atom_
IPSEC).

Harmony Connect for Silver Peak Integration Guide   |   21

 Introduction

h. Select Auto Max BW Enabled.

5. Click IKE and configure the IKE Phase 1 parameters based on the properties in the Check Point
instructions. See Configuring the SD-WAN Device.

Harmony Connect for Silver Peak Integration Guide   |   22

 Introduction

6. Click IPsec and configure the IKE Phase 2 parameters based on the properties in the Check Point
instructions. See Configuring the SD-WAN Device.

7. Click Save.
Repeat this procedure to create three more tunnels. Use two different local IPs for each remote IP
address provided by Check Point.

Harmony Connect for Silver Peak Integration Guide   |   23

 Introduction

To verify the route policy

A BIO automates the creation of route policies and determines the destination to route a packet. Route
policy settings work as exceptions to the BIO configuration.
1. In the Silver Peak Orchestrator, click Configuration > Templates & Policies > Route Policies.
2. View your route policy to make sure your tunnels set up is correct.
You can create the policy manually, if the automatic creation fails.

Harmony Connect for Silver Peak Integration Guide   |   24

 Introduction

Monitoring the Traffic

1. In the Silver Peak Orchestrator, click Monitoring > Bandwidth > Flows > Active & Recent Flows.
2. Monitor the traffic flows in the flows table.
n Route the four flows to the Internet.
Confirm that two flows go through the first Check Point tunnel. Confirm that the other two flows
go through the second Check Point tunnel.
n Turn off one of the Check Point tunnel.
Confirm that all traffic goes through the second Check Point tunnel.
n Turn on the first Check Point tunnel.
Confirm that traffic load is balanced between the two tunnels.
You can monitor various attacks prevented by the Harmony Connect cybersecurity features. For more
information, see Monitoring Cybersecurity Events.

Harmony Connect for Silver Peak Integration Guide   |   25