https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207952#M39400 <P>Keep in mind, its NOT supported to use same interoperable object in more than 1 vpn community. As a a matter of fact, if you do that, policy install will fail, 100%. The only way it would work is if you clone existing int. object, give it another name, but then there is no way to differ which community will take presedence and probably only 1 tunnel may show as up, you would not even see the other ones.</P> <P>Best,</P> <P>Andy</P> Wed, 06 Mar 2024 12:09:16 GMT the_rock 2024-03-06T12:09:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207898#M39386 <P>Hi,</P><P>&nbsp;</P><P>I need your help. I have this scenarious:</P><P>Site1: Managment server with cluster( 2x gateways, and 2 ISP ( A.A.A.A + B.B.B.B)&nbsp;</P><P>Site2: Managment server with cluster( 2x gateways, and 2 ISP ( C.C.C.C + D.D.D.D)&nbsp;</P><P>My questions is: When i make site-to-site VPN with site 1 and 2, i need garanted redundancy of ISP. What is a best pratices for this scenarious?</P><P>Thanks</P> Tue, 05 Mar 2024 20:19:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207898#M39386 paulocosta 2024-03-05T20:19:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207901#M39387 <P>Please <A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ClusterXL_AdminGuide/Topics-CXLG/ISP-Redundancy-and-VPN.htm" target="_self">read the documentation</A>, I believe it covers what you need. If not, let me know.</P> Tue, 05 Mar 2024 22:14:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207901#M39387 _Val_ 2024-03-05T22:14:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207911#M39391 <P>See...key here is that even with ISPR configured, other side needs to be aware of say site's 1 both links (same the other way around) and since its NOT supported to have same interoperable object, or in your case externally managed gateways (as its CP) in the same community, personally, I would approach TAC with an official answer as far as best approach.</P> <P>Maybe simple network diagram may also help us,</P> <P>Best,</P> <P>Andy</P> Wed, 06 Mar 2024 00:12:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207911#M39391 the_rock 2024-03-06T00:12:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207933#M39395 <P>Hi _Val_</P><P>Thanks for your reply.&nbsp;</P><P>Yes, already read this documentation. Maybe my first post not is a very complete.&nbsp;</P><P>When i create a site-to-site vpn i need create interoperable device (one for a ISP) and put it all in VPN Communitie, because i have two managments servers</P><P>Thanks</P><P>&nbsp;</P> Wed, 06 Mar 2024 09:16:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207933#M39395 paulocosta 2024-03-06T09:16:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207952#M39400 <P>Keep in mind, its NOT supported to use same interoperable object in more than 1 vpn community. As a a matter of fact, if you do that, policy install will fail, 100%. The only way it would work is if you clone existing int. object, give it another name, but then there is no way to differ which community will take presedence and probably only 1 tunnel may show as up, you would not even see the other ones.</P> <P>Best,</P> <P>Andy</P> Wed, 06 Mar 2024 12:09:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207952#M39400 the_rock 2024-03-06T12:09:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207997#M39408 <P>Why Interoperable? Do Externally Managed GWs. What's the issue, then?&nbsp;</P> Wed, 06 Mar 2024 17:27:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207997#M39408 _Val_ 2024-03-06T17:27:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207999#M39409 <P>Hi,</P><P>This is scenarios:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ISP_Redundancy.png" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/24761i9D1B8D8EAC146646/image-size/medium?v=v2&amp;px=400" role="button" title="ISP_Redundancy.png" alt="ISP_Redundancy.png" /></span></P><P>I need to create a site-to-site VPN to connect sites 1 and 2. One requirement is: if ISP A.A.A.A has a problem, I need ISP B.B.B.B to maintain a VPN connection.</P><P>My question is: When I create a VPN community for connecting site 1 to site 2, as this site has a different management server, how can I tell the Sattelite Gateways that I have 2 possible ISP connections? I need to create 2 written interoperable devices right?</P><P>How do you suggest?</P> Wed, 06 Mar 2024 17:53:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-Redundancy-and-VPN-site-to-site/m-p/207999#M39409 paulocosta 2024-03-06T17:53:13Z