[MUSIC] In this module, we will cover the VPN options for the SMB device. The SMB device supports remote access and site to site VPN, we will take a look at it later on, but here are some of the highlights. If you configure a VPN with a non checkpoint gateway, make sure to use this option of DPD, Dead Peer Detection. Link selection can be according to the routing table or route based probing. The source IP address selection, the default is automatically but you can configure that as well. Externally managed gateways. This is very useful for when setting up site to site VPN. So we can add the external gateway object to the SMP, define the community and member type, configured the encryption domains. Also in the SMP, we can import the external gateway certificate. You can see sk117544 for more information. We also support VPN to Amazon Web Services, just download a VPN configuration file from AWS and follow these steps. Make sure that your AWS instance doesn't have any internal firewall or antivirus as it might block traffic from the SMB. So let's see some of the settings right here on the SMB. So I'm currently under VPN under Blade Control, we can see that the remote access is enabled by default, but currently without any users or groups. But as you can see, it's all links, so you can just click on it and it will take you to the right menu to configure. So for example, users and groups, and I can configure that as well. It suggests to configure dynamic DNS and to have a static IPv4 address. We can also configure which clients can connect over VPN, so we have SSL VPN, mobile client, or checkpoint VPN clients, and more [MUSIC] The next step here is for our remote access users. For user authentication, you can use active directory, radius, or you can just add the users manually. This next tab shows you the connected remote users, currently none. Authentication servers, we can add a new domain or configure a radius server right here. The advanced tab where you can configure office mode, this is the default address. We have DNS servers for remote access users and more. Site to site VPN, to enable site to site VPN, we'll just go here, you can click on that and it will take you to the proper menu. I can go ahead and select New, and I can go ahead and configure the name, assigned the IP, select if it's behind NAT at the hostname. For authentication, we can use a pre-shared key or a certificate, and of course the encryption domain. And encryption, we need to know what the peers are expecting so it's crucial to have the same configurations on both sides. In the Advanced tab, we can configure if the remote device is a checkpoint security gateway. We can configure a permanent tunnel, we can see that the default settings is to disable NAT, and the encryption method with the different IKE versions. Security wise, we highly discourage to enable aggressive mode. Here we have the communities, this is available whenever we have a cloud services turned on. Our VPN tunnels as far as any current VPN tunnels, if you had site to site or remote access, you would see it here, the Advanced tab. So as we saw in the slides, we can configure the link selection. Here in the bottom you can see the encryption method with our gateway ID. And finally, here you have the certificates, the trusted CA certificate, and the internal certificate, and you can go ahead and sign a request. We can see all the installed certificates, and the internal certificates, we can see all that information right here. We can replace one, we can export, we can sign a request, all done from here. That concludes the VPN module. [MUSIC]
