topic Re: P2P VPN Star Community - Link Selection Mode in Firewall and Security Management

P2P VPN Star Community - Link Selection Mode

Perry_McGrew — Mon, 16 Jun 2025 17:33:31 GMT

All our CP devices are R82 JHF 19. We have 7 CP 3200's deployed, each as a Star Community that are P2P VPN to our corporate Data Center 5800 HA Cluster.

I have been reading up on how to set these 3200's up as MEP to be able to failover to our Service Provider's DRaaS site where they use a Fortigate Firewall. A whole other headache!

We have been using CP for close to 20 years. Just doing upgrades and appliance replacements as they reach EoL. So I am looking at these VPN Star Communities settings and see the choice in Link Selection Mode. Of course, all our CP3200's are set to Legacy vs Enhanced (Recommended) - where the "i bubble" states for better interoperability, redundancy, and granularity.

So I am looking to make this eventual MEP configuration easy as possible and wondering if the Link Selection Mode needs to be changed or just should be regardless.

Can I just change the CP3200 Link Selection setting to Enhanced and install policy or are there other settings that I should be aware of. I don't have a test CP3200 I can try and have not found any SK's on details with Link Selection Mode.

Re: P2P VPN Star Community - Link Selection Mode

the_rock — Mon, 16 Jun 2025 18:02:32 GMT

Hi Perry,

That enhanced setting does exactly what it says, what you described. As far as MEP, thats more less the same as in previous versions. Personally, I would change the mode to enhanced and then enable MEP as required.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VPNSG/MEP.htm

Re: P2P VPN Star Community - Link Selection Mode

Perry_McGrew — Tue, 17 Jun 2025 11:09:28 GMT

Andy,

Thanks for the reply. First we are R82 and I have read the R82 VPN Admin Guide. There is only 1 external, internet facing connection on these CP3200s. So I am trying to understand if there is any benefit to change from Legacy to Enhanced. I am always wary about changing a setting like this and not "seeing" what other settings need to change.

As for MEP, pretty sure I will need Implicit MEP that I specify the Priority - our corporate 5800 HA would be "Primary" and the D/R site's Fortigate (interoperable device) would be "Backup". The docs become confusing when discussing defining the VPN domain. In D/R situation, our servers and Internet would be up at the D/R site. On pg 203, Config Implicit MEP, it implies the backup Gateway is a CP device...

Re: P2P VPN Star Community - Link Selection Mode

the_rock — Tue, 17 Jun 2025 11:39:09 GMT

Is there any benefit? I would say better communication and less possibility of failures with clould and 3rd party vendors. As far as MEP, implicit is used if vpn domains are overlapping.

Andy

Re: P2P VPN Star Community - Link Selection Mode

PhoneBoy — Tue, 17 Jun 2025 17:55:00 GMT

The Enhanced Link Selection allows for scenarios that are difficult to achieve with the Legacy options.
You have to explicitly configure it, though: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/Topics-VPNSG/Link-Selection-Enhanced.htm

Re: P2P VPN Star Community - Link Selection Mode

Perry_McGrew — Wed, 18 Jun 2025 10:31:06 GMT

I posed the question to TAC and they responded with what I figured the answer after reading the R82 VPN Admin Guide.

"If your gateway has only a single interface connected to the Internet, Enhanced Link Selection does not provide any significant benefit. "

So its back to unraveling how to set up Implicit MEP with a 3rd party Firewall as the Backup P2P VPN site. .

Re: P2P VPN Star Community - Link Selection Mode

the_rock — Wed, 18 Jun 2025 10:56:23 GMT

I agree with TAC, thats definitely true. I could be mistaken when I say this, but in my mind, MEP config should work regardless of how many external links are present.

Andy