topic Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro? in Hyperscale Firewall (Maestro)

How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

sonofgod031 — Tue, 29 Mar 2022 02:35:13 GMT

Is it possible to deliver VPN Site2Site with redundancy in VSX deployment using Maestro?

Old Firewall (CP 4800) used to connect Site2Site VPN to 3rd Party (CP 2200) with ISP Redundancy (2 ISP's), so that VPN Site2Site have redundancy (automatically failover if 1 ISP is down).

CP 4800 will be replaced with Maestro with VSX deployment, sk79700 says VSX doesn’t support ISP Redundancy.
I saw a thread that says the alternative way to give Redundancy in VPN Site2Site is using PBR Multi Hop and it’s available from R80.30 onwards.
Since Maestro OS is R80.20 SP, I haven’t found SK that declares R80.20SP Supports PBR Multihop, I only found that PBR can be setup in VSX Maestro sk137232.

or is there another alternative solution to give Redundancy on VPN Site2Site using VSX?

sk79700 (VSX doesn't support ISP Redundancy):
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk79700

Alternative Solution:
https://community.checkpoint.com/t5/General-Topics/PBR-With-Multiple-Tracking/td-p/14462

sk137232 (How to setup PBR in VSX on High Scalable Device)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk137232

#VSX #Maestro #VPN

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

_Val_ — Tue, 29 Mar 2022 06:54:58 GMT

Could you please specify what exactly you need, IPS redundancy, S2S VPN redundancy, or both?

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

Chris_Atkinson — Tue, 29 Mar 2022 07:26:58 GMT

Given the sunset approaches for R80.20SP please consider adopting R81.10 that has route-based VPN support for VSX.

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

sonofgod031 — Tue, 29 Mar 2022 18:26:42 GMT

I need VPN Site2Site to have automatic failover function (on Maestro with VSX deploymnet), so if the tunnel that goes through ISP1 is down, VPN will automatically failover to ISP2, so downtime can be minimized.

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

sonofgod031 — Tue, 29 Mar 2022 18:30:01 GMT

When is R81.10 will be available for Maestro?

Customer is already using R80.20SP and the Maestro has been implemented in their environment 😅

If this is the only solution, then i can tell them to wait until R81.10 for Maestro to be released.

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

_Val_ — Tue, 29 Mar 2022 19:42:28 GMT

According to this diagram, you do need your GW to support ISP redundancy. Now, why Maestro + VSX, if you are coming from 2200 appliance?

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

Chris_Atkinson — Wed, 30 Mar 2022 10:50:51 GMT

It already is available, refer sk173363

Re: How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

sonofgod031 — Mon, 04 Apr 2022 10:58:39 GMT

Customer were running out of budget but was eager to buy Maestro for it's hyperscaling capability, so they wanted firewalls to be deployed as VS, and we forgot if they need ISP Redundancy or VTI/Route-based VPN to give VPN Site2Site redundancy (which is not supported in VSX). CP 2200 is the 3rd Party connected to the customer, it was deployed with VTI tunneling.