https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-route-propagation-with-more-then-one-vSwitch/m-p/55392#M9795 A diagram might be helpful to visualize this.<BR />The route that propagates when you use "propagate route to adjacent Virtual Devices" is the wrp interface between the VS and the Switch.<BR />If you have two routes to the same destination using different paths, not sure how it decides which one to use.<BR />In any case, static routes seem like the best idea here. Mon, 10 Jun 2019 00:03:49 GMT PhoneBoy 2019-06-10T00:03:49Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-route-propagation-with-more-then-one-vSwitch/m-p/55193#M9794 <P>Hi all</P><P>I have a question to the feature "propagate route to adjacent Virtual Devices".</P><P>Lets assume we have three external vs: Inbound-vs, Outbound-vs and VPN-vs</P><P>This three VS are in a vSwitch sandwich, one vSwitch for the external subnet and one for internal transit LAN leading to internal VS with internal networks.</P><P>The question is now: How does Check Point decided through which of the two vSwitch traffic is routet from one DMZ to the other? (Random, vs-id, higher ip, ...)</P><P>In our setup the routes are propagated through the external vSwitch. This works as consequently for all interfaces the external vSwitch is chosen and no asynch routing occurs. From a security point of view and also architectural considerations, this is not the desired path. For example traffic is coming encrpyted over VPN to the VPN-vs and is sent clear text over the external interface to the DMZ of the Outbound-vs. Assuming the two vs are on another physical VSX host, the traffic is sent over a physical switch, which is exposed to the internet. Not so good.</P><P>Of course, we could disable the feature and manually route through the internal transit vSwitch. As of now, it looks like we have to go that way.</P><P>Is there a way to force check point to choose the internal vSwitch for the propagated routes?</P><P>Imho check point should never use an external interface to route traffic. The information, that these interfaces are external is given in the topology. That might be an RFE.</P><P>What do you think about the topic?</P> Thu, 06 Jun 2019 11:20:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-route-propagation-with-more-then-one-vSwitch/m-p/55193#M9794 Andreas 2019-06-06T11:20:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-route-propagation-with-more-then-one-vSwitch/m-p/55392#M9795 A diagram might be helpful to visualize this.<BR />The route that propagates when you use "propagate route to adjacent Virtual Devices" is the wrp interface between the VS and the Switch.<BR />If you have two routes to the same destination using different paths, not sure how it decides which one to use.<BR />In any case, static routes seem like the best idea here. Mon, 10 Jun 2019 00:03:49 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/VSX-route-propagation-with-more-then-one-vSwitch/m-p/55392#M9795 PhoneBoy 2019-06-10T00:03:49Z