Professional Documents
Culture Documents
HARMONY CONNECT
FOR SILVER PEAK
Integration Guide
[Classification: Restricted]
Check Point Copyright Notice
© 2020 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
TRADEMARKS:
Refer to the Copyright page for a list of our trademarks.
Refer to the Third Party copyright notices for a list of relevant copyrights and third-party licenses.
Important Information
Important Information
Latest Software
We recommend that you install the most recent software release to stay up-to-date with the
latest functional improvements, stability fixes, security enhancements and protection against
new and evolving attacks.
Certifications
For third party independent certification of Check Point products, see the Check Point
Certifications page.
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments.
Revision History
Date Description
29 June 2022 Improved structure of the document and excluded GRE configurations.
Table of Contents
Introduction 5
Silver Peak 5
Check Point Harmony Connect 5
About this Guide 5
Getting Started 7
Prerequisite 7
Integrating Silver Peak with Check Point Harmony Connect 7
Version 8.8.3 and higher 7
Version earlier than 8.8.3 7
High-level Procedure 7
Silver Peak Integration with Orchestrator Version 8.8.3 and Higher 8
Configuring a Business Intent Overlay Policy (BIO) 11
Silver Peak Integration with Orchestrator Versions earlier than 8.8.3 13
Adding a New Site in Harmony Connect 13
Configuring the SD-WAN Device 17
Creating a Deployment Profile 18
Configuring the BIO Policy 19
Configuring the Passthrough Tunnels for Silver Peak and Check Point 21
Monitoring the Traffic 25
Introduction
Silver Peak
Silver Peak is an open, programmable and scalable cloud scale architecture. With Silver Peak
EdgeConnect SD-WAN, you can quickly connect data centers, branches, campuses, and colocation
facilities to cloud applications and improve network speed, security, and efficiency.
EdgeConnect physical, virtual or cloud appliances support industry standard hypervisors. You can purchase
them through subscription-based licensing. The platform is centrally managed by Unity Orchestrator.
Note - To configure a GRE tunnel between Silver Peak and Harmony Connect,
contact Check Point Support.
Getting Started
Prerequisite
n Infinity Portal account.
n Silver Peak account.
High-level Procedure
1. "Silver Peak Integration with Orchestrator Version 8.8.3 and Higher" on the next page or "Silver Peak
Integration with Orchestrator Versions earlier than 8.8.3" on page 13
2. "Configuring the Passthrough Tunnels for Silver Peak and Check Point" on page 21
3. "Monitoring the Traffic" on page 25
4. Monitoring Cyber Security
1. In the Silver Peak Orchestrator, click Configuration > Cloud Services > Check Point
CloudGuard Connect.
2. Click Subscription.
The Subscription window appears.
3. Paste the Client ID and the API Access Key generated in the Infinity Portal.
4. Click Save.
1. In the Silver Peak Peak Orchestrator, click Check Point CloudGuard Connect > Interface Labels.
Silver Peak uses labels to create a consistent global policy across various edge devices. Any edge
device with your selected labels receives the Check Point security automatically after the
integration.
1. On the left pane, right-click the applicable device and select Deployment.
1. In the Silver Peak Orchestrator, click Configuration > Overlays > Business Intent Overlays.
2. Double-click the Check Point security policy rule that you want to apply to the traffic.
The Overlay Configuration window appears.
3. Click Breakout Traffic to Internet & Cloud Services.
4. From the Available Policies list, drag-and-drop the Check Point CloudGuard policy to Preferred
Policy Order. This policy is available only if you have the Check Point subscription.
5. Click OK.
6. (Optional) Apply the Check Point protection to each applicable device. Only the labeled edge
devices traffic can pass through the Check Point.
7. Click Save and Apply Changes to Overlays.
You can monitor various attacks prevented by the Harmony Connect cyber-security features. For more
information, see Internet and Network Access Logs.
Note - Every site on the Sites page represents the device in your branch office that
connects you to the internet.
5. In the Internal Sub-networks screen, enter the subnet addresses of your internal networks in the
branch office site.
Check Point Harmony Connect applies its cybersecurity features on all traffic coming from these
network addresses.
6. Click Next.
7. In the Location screen, enter this information:
a. Site Address - (Optional) Physical location of the branch office. It shows your site on the world
map.
b. Location of the cloud service - Select a closer location for the cloud service.
Best Practice - Harmony Connect inspects traffic from your branch office
to internet through a cloud service that is closest to your site location. For
some regions, such as South America or the Middle East, the location for
the cloud service must have a strong cross-country internet link.
8. Click Next.
9. Confirm Site Creation and review site details.
10. Click Finish and Create Site.
Note - It takes Check Point several minutes to create the new site.
When the new site is ready, it appears in the list of sites, with Generating Site as status.
The status changes to Waiting for Traffic when the site is ready.
5. Click Close.
1. In the Silver Peak Orchestrator, right-click the applicable device and select Deployment.
The Deployment window appears.
2. Create your LAN and WAN interfaces. For example, lan0, wan0, and wan1.
3. From the FW Mode list, select the applicable firewall.
4. Enter the Bandwidth and Next Hop IP addresses.
5. Click Apply.
Specify labels for traffic that passes through the IPsec tunnels to Check Point.
Check Point protection automatically secures all edge devices with the labels. BIO policies specify how
to handle traffic with particular characteristics within the network.
3. Click Breakout Traffic to Internet & Cloud Services, under Branch Settings, click to edit
Available Policies.
a. In the Service Name field, add a new service object and enter its name (Atom_IPSEC).
b. Click Add.
c. Click Close.
4. In the Breakout Traffic to Internet & Cloud Services window, move the Atom_IPSEC service to
Preferred Policy Order and place it above other policies.
Note - When the Check Point service is on top of the list, all the internet-bound
traffic passes through the Check Point IPsec tunnel. If the IPsec tunnel is
down, the traffic breaks up locally. If this fails, the traffic backhauls with the
overlay.
5. Click Save.
1. In the Silver Peak Orchestrator, click Configurations > Overlays > Apply Overlays.
2. In the left pane, select the applicable device.
3. Under Apply Overlays, select Atom_Test_IPSEC as overlay.
4. Click Apply.
5. Click IKE and configure the IKE Phase 1 parameters based on the properties in the Check Point
instructions. See Configuring the SD-WAN Device.
6. Click IPsec and configure the IKE Phase 2 parameters based on the properties in the Check Point
instructions. See Configuring the SD-WAN Device.
7. Click Save.
Repeat this procedure to create three more tunnels. Use two different local IPs for each remote IP
address provided by Check Point.
A BIO automates the creation of route policies and determines the destination to route a packet. Route
policy settings work as exceptions to the BIO configuration.
1. In the Silver Peak Orchestrator, click Configuration > Templates & Policies > Route Policies.
2. View your route policy to make sure your tunnels set up is correct.
You can create the policy manually, if the automatic creation fails.