VPN

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
1 hour 35 minutes
Difficulty
Intermediate
CEU/CPE
2
Video Transcription
00:00
>> [MUSIC] In this module,
00:00
we will cover the VPN options for the SMB device.
00:00
The SMB device supports
00:00
remote access and site-to-site VPN.
00:00
We will take a look at it later on but
00:00
here are some of the highlights.
00:00
If you configure a VPN with a non-check point gateway,
00:00
make sure to use this option of
00:00
DPD, dead peer detection.
00:00
Link selection can be according to
00:00
the routing table or route based probing.
00:00
The source IP address selection,
00:00
the default is automatically,
00:00
but you can configure that as well.
00:00
Externally managed gateways.
00:00
This is very useful for when setting
00:00
>> up site to site VPN.
00:00
>> We can add the external gateway object to the SMP,
00:00
define the community and member type,
00:00
configure the encryption domains,
00:00
also in the SMP,
00:00
we can import the external gateway certificate.
00:00
You can see SK117544 for more information.
00:00
We also supports VPN to Amazon Web Services.
00:00
Just download a VPN configuration file
00:00
from AWS and follow these steps.
00:00
Make sure that your AWS instance
00:00
doesn't have any internal firewall
00:00
or antivirus as it might block traffic from the SMB.
00:00
Let's see some of the settings right here on the SMB.
00:00
I'm currently under VPN, under Blade Control.
00:00
We can see that the remote
00:00
>> access is enabled by default,
00:00
>> but currently without any users
00:00
or groups but as you can see,
00:00
it's all links,
00:00
so you can just click on it and it will
00:00
take you to the right menu to configure.
00:00
For example, users and
00:00
groups and I can configure that as well.
00:00
It suggests to configure dynamic DNS
00:00
and to have a static IP for address.
00:00
We can also configure which clients
00:00
>> can connect over VPN.
00:00
>> We have SSL VPN,
00:00
mobile client or check point VPN clients, and more.
00:00
The next step here is for our remote access users.
00:00
For user authentication, you can use Active Directory,
00:00
RADIUS, or you can just add the users manually.
00:00
This next tab shows you
00:00
the connected remote users, currently none.
00:00
Authentication servers, we can add
00:00
a new domain or configure a RADIUS server right here.
00:00
The advanced tab where you can configure office mode.
00:00
This is the default address.
00:00
We have DNS servers for remote access users and more.
00:00
Site-to-site VPN.
00:00
To enable site-to-site VPN we'll just go here,
00:00
you can click on that and it will take
00:00
you to the proper menu.
00:00
I can go ahead and select "New",
00:00
and I can go ahead and configure the name,
00:00
assign the IP,
00:00
select if it's behind NAT,
00:00
add the host name.
00:00
For authentication, we can use a pre-shared key
00:00
or a certificate and of course, the encryption domain.
00:00
In encryption we need to know
00:00
what the peers are expecting.
00:00
It's crucial to have
00:00
the same configurations on both sides.
00:00
In the advanced tab,
00:00
we can configure if the remote
00:00
device as a checkpoint security gateway,
00:00
we can configure a permanent tunnel.
00:00
We can see that the default settings is to disable NAT,
00:00
and the encryption method
00:00
with a different [inaudible] Versions.
00:00
Security wise, we highly
00:00
discourage to enable aggressive mode.
00:00
Here we have the communities,
00:00
this is available whenever we have
00:00
a Cloud services turned on.
00:00
Our VPN tunnels as far as any current VPN tunnels,
00:00
if you had site-to-site or remote access,
00:00
you would see it here, the Advanced tab.
00:00
As we saw in the slides,
00:00
we can configure the link selection.
00:00
Here in the bottom you can see
00:00
the encryption method with our gateway ID.
00:00
Finally here you have the certificates,
00:00
the trusted CA certificate and
00:00
the internal certificate and you can go
00:00
ahead and sign a request.
00:00
We can see all the installed certificates
00:00
and the internal certificates.
00:00
We can see all that information right here.
00:00
We can replace one, we can export,
00:00
we can sign a request,
00:00
all of them from here.
00:00
That concludes the VPN module.
00:00
[MUSIC]
Up Next