https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/120923#M17184 <P>Hey Mates,</P><P>&nbsp;</P><P>we are running 80.20 in our headquarter and use 1430 Appliances in our branch offices.</P><P>Currently we are facing perfomance issues and it seems the internet connection we use for the site-to-site vpns might be undersized.</P><P>We have 2 ISPs and so far we are using only one for the site-to-site. The second line is bigger and we would like to switch our site-to-sites to the bigger connection.</P><P>However, we would like to test it with our lab and we are currently lost on how to do this.</P><P>Our firewall cluster is in an Encryption Domain with "always use this addess" configuration to public IP adress of the weak line. We looked at link selection but we are uncertain if that is the solution to our problem</P><P><EM><SPAN>Each interface is used by a different remote party:</SPAN><SPAN>The local Security Gateway has two IP addresses used for VPN. One interface is used for VPN with </SPAN><SPAN>a peer Security Gateway A and one interface for peer Security Gateway B.</SPAN><SPAN>To determine how peer Security Gateways discover the IP address of the local Security Gateway, </SPAN><SPAN>enable </SPAN><SPAN>one</SPAN><SPAN>-time probing</SPAN><SPAN> with </SPAN><SPAN>High Availability</SPAN><SPAN> redundancy mode. Since only one IP is available </SPAN><SPAN>for each peer Security Gateway, probing only has to take place one time.</SPAN></EM></P><P>Would this work for us? We want the test site-to-site to strictly use one IP to test the connection. From what I gather from the documentation link selection is more for high availability and less for strict traffic separation.</P><P>Any tips would be appreciated</P><P>Kind regards</P><P>D</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Jun 2021 08:45:42 GMT Alias 2021-06-11T08:45:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/120923#M17184 <P>Hey Mates,</P><P>&nbsp;</P><P>we are running 80.20 in our headquarter and use 1430 Appliances in our branch offices.</P><P>Currently we are facing perfomance issues and it seems the internet connection we use for the site-to-site vpns might be undersized.</P><P>We have 2 ISPs and so far we are using only one for the site-to-site. The second line is bigger and we would like to switch our site-to-sites to the bigger connection.</P><P>However, we would like to test it with our lab and we are currently lost on how to do this.</P><P>Our firewall cluster is in an Encryption Domain with "always use this addess" configuration to public IP adress of the weak line. We looked at link selection but we are uncertain if that is the solution to our problem</P><P><EM><SPAN>Each interface is used by a different remote party:</SPAN><SPAN>The local Security Gateway has two IP addresses used for VPN. One interface is used for VPN with </SPAN><SPAN>a peer Security Gateway A and one interface for peer Security Gateway B.</SPAN><SPAN>To determine how peer Security Gateways discover the IP address of the local Security Gateway, </SPAN><SPAN>enable </SPAN><SPAN>one</SPAN><SPAN>-time probing</SPAN><SPAN> with </SPAN><SPAN>High Availability</SPAN><SPAN> redundancy mode. Since only one IP is available </SPAN><SPAN>for each peer Security Gateway, probing only has to take place one time.</SPAN></EM></P><P>Would this work for us? We want the test site-to-site to strictly use one IP to test the connection. From what I gather from the documentation link selection is more for high availability and less for strict traffic separation.</P><P>Any tips would be appreciated</P><P>Kind regards</P><P>D</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 11 Jun 2021 08:45:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/120923#M17184 Alias 2021-06-11T08:45:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/121084#M17215 <P>Changing the Link Selection settings is the correct approach here.<BR />If you want the VPN to use the other ISP, you would specify that IP in the Link Selection settings either directly by IP or indirectly by using one of the other options (routing, etc).</P> Mon, 14 Jun 2021 03:34:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/121084#M17215 PhoneBoy 2021-06-14T03:34:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/121335#M17259 <P>Thank you, I will try</P> Wed, 16 Jun 2021 09:28:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Site-to-Site-ISB-Migration-Question/m-p/121335#M17259 Alias 2021-06-16T09:28:20Z