https://community.checkpoint.com/t5/Firewall-and-Security-Management/static-route-redundancy-with-different-priority-nexthop-gateways/m-p/98058#M10491 <P>Hi checkmates,</P><P>I want to configure route redundancy for a specific static route where the nexthop should be an upstream vpn gateway as priority 1 path and a connected router for priority 2 path.<BR />The priority 2 route should become active when the vpn goes down.</P><P>Form my understanding the default nexthop ping monitoring would make no sense since the priority 1 nexthop (upstream vpn gateway) would still be active in case of vpn breakdown.</P><P>My idea is to create a dedicated ip on the upstream vpn gateway which then DNAT to a vpn internal remote ip.<BR />This ip should be monitored from the checkpoint and if not reachable then issue the routing failover (priority 2) route.</P><P># monitored nexthop, will be DNATed on the upstream vpn gateway to internal vpn endpoint<BR />set static-route 1.25.93.1/32 nexthop gateway address 1.1.1.100 on</P><P># failover to priority 2 nexthop, failback to priority 1 nexthop once monitored ip becomes up again<BR />set static-route 1.25.80.0/20 nexthop gateway address 1.1.1.4 priority 1 on<BR />set static-route 1.25.80.0/20 nexthop gateway address 1.2.1.4 priority 2 on</P><P>I have R80.30 and read about BFD using ICMP ping which would be a possibility but there's not much info on this.</P><P>Also do I have to add one route with two gateways and different priorities or two separate identical routes with each gateway using different priorities?</P><P>Can someone help me with this?</P> Fri, 02 Oct 2020 09:10:05 GMT soundwave 2020-10-02T09:10:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/static-route-redundancy-with-different-priority-nexthop-gateways/m-p/98058#M10491 <P>Hi checkmates,</P><P>I want to configure route redundancy for a specific static route where the nexthop should be an upstream vpn gateway as priority 1 path and a connected router for priority 2 path.<BR />The priority 2 route should become active when the vpn goes down.</P><P>Form my understanding the default nexthop ping monitoring would make no sense since the priority 1 nexthop (upstream vpn gateway) would still be active in case of vpn breakdown.</P><P>My idea is to create a dedicated ip on the upstream vpn gateway which then DNAT to a vpn internal remote ip.<BR />This ip should be monitored from the checkpoint and if not reachable then issue the routing failover (priority 2) route.</P><P># monitored nexthop, will be DNATed on the upstream vpn gateway to internal vpn endpoint<BR />set static-route 1.25.93.1/32 nexthop gateway address 1.1.1.100 on</P><P># failover to priority 2 nexthop, failback to priority 1 nexthop once monitored ip becomes up again<BR />set static-route 1.25.80.0/20 nexthop gateway address 1.1.1.4 priority 1 on<BR />set static-route 1.25.80.0/20 nexthop gateway address 1.2.1.4 priority 2 on</P><P>I have R80.30 and read about BFD using ICMP ping which would be a possibility but there's not much info on this.</P><P>Also do I have to add one route with two gateways and different priorities or two separate identical routes with each gateway using different priorities?</P><P>Can someone help me with this?</P> Fri, 02 Oct 2020 09:10:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/static-route-redundancy-with-different-priority-nexthop-gateways/m-p/98058#M10491 soundwave 2020-10-02T09:10:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/static-route-redundancy-with-different-priority-nexthop-gateways/m-p/98232#M10492 <P>From CLI you will need to add a route twice with each gateway using different priorities. In WebUI, you can add two different gateways to a given route. Just to clarify, BFD does not use ICMP. You can use remote-ip monitoring with either ICMP or BFD. Please involve PS, SE or Diamond to help with configuration.&nbsp;&nbsp;</P> Mon, 05 Oct 2020 16:08:46 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/static-route-redundancy-with-different-priority-nexthop-gateways/m-p/98232#M10492 Sundeep_Mudgal 2020-10-05T16:08:46Z