topic Re: Check Point ElasticXL integration with FortiGate firewall in Firewall and Security Management

Check Point ElasticXL integration with FortiGate firewall

Phianne_C133188 — Tue, 12 May 2026 05:25:44 GMT

Hi, I am new to Check Point and I am currently planning for the deployment of two Check Point Quantum Force 9700 Plus Security Gateways running R82 with ElasticXL.

The two Security Gateways will be connected, each by a single link, to a FortiGate 101F firewall. So like:

FG port 1 -> CPSG01 eth2

FG port 2 -> CPSG02 eth2

However I am having difficulties understanding how the interfaces are supposed to be configured.

Based on my understanding, combining the two FortiGate links into a Layer 3 LACP bond is not viable because the two CP links are considered separate (based on this post I read https://community.checkpoint.com/t5/Firewall-and-Security-Management/ElasticXL-Bond-Aggregate-Behavior/td-p/249556).

However, I'm not sure if I can configure the two FortiGate links as a redundant interface (active/backup) either because the SMO might choose the non-pivot member to forward traffic, which means both links on the FortiGate will need to be up. In that case, would ElasticXL detect the active interface automatically and forward traffic over it accordingly?

Would appreciate if anyone has insights into how I could go about configuring the interfaces.

Thanks!

Re: Check Point ElasticXL integration with FortiGate firewall

simonemantovani — Tue, 12 May 2026 07:03:17 GMT

Hello

on my side, is not clear the reason why you want to connect the two check point directly to the Fortigate; you need to put a couple of switches L2 between Fortigate and Check Point.

Re: Check Point ElasticXL integration with FortiGate firewall

Martijn — Fri, 15 May 2026 06:45:06 GMT

Hi,

You are correct. CPSG01 ETH2 and CPSG02 ETH2 need to be connected to access ports on a switch. You cannot create a LACP bond across two appliances unless you are using Maestro.

A active/backup configuration for the links on Fortigate will not work. Both Check Point appliances need to send and receive CCP packets on the interface so they can 'see' each other.

ClusterXL and ElasticXL require a layer 2 path between the appliances. So unless you can configure port 1 and port 2 on the Fortigate as a switch, you need separate switch to connect both Check Point appliances to the Fortigate.

Martijn