This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Micha
Participant
‎2025-01-27 12:28 AM

Routing in Firewall with DirectConnect AWS and IPVPN connections

Hi,

Maybe someone can point me in the direction of a solution.
A customer has two main sites connected to AWS with Direct Connect.
Routing to AWS is via BGP. (i.e. all the user subnets in the main sites and in the remote sites will access AWS through one of the main sites, with priority given to Site A.)

How can I configure the Checkpoint firewall routing, so that when a Direct Connect connection goes down, users at site A, will access AWS via Site B? The same would apply for remote sites who also will need to go through Site A or Site B to reach AWS.

Since I have no way to configure anything within the IPVPN cloud, we thought to create S2S VPNs. Site A would try to route via DirectConnect, but if it is down, then it will route packets to AWS via S2S VPN to Site B whose DirectConnect connection is still up. And vice versa.

I am not sure how it would work for the remote sites. We could create a S2S VPN to Site A and Site B, but the remote site would need know how to route a packet towards AWS based on priority (Site A has higher priority) and on Site A Direct Connect being up. I am not sure how that would work. Maybe I would need to use some routing protocol over the S2S VPN (or IPVPN) between Site A firewall and Remote Site Firewall to let the remote site know if it is possible to reach AWS through it.

If anyone has any tips for such a solution I would appreciate it.  

Preview file
481 KB
0 Kudos
3 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-01-27 02:04 AM

Can you move this to Cloud network security, @PhoneBoy ?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin
‎2025-01-27 03:28 PM
In response to G_W_Albrecht

Done

0 Kudos
Nir_Shamir
Employee Employee
Employee
‎2025-01-27 09:18 PM

You already mentioned you are connected to AWS via DirectConnect lines using BGP.

Why can't you configure the your on-premise hardware that already uses BGP to route traffic to the 2nd site if the 2st one fails using BGP ?

That's what usually is done (if it's a router of another Firewall). 

Usually the Firewalls in the cloud are not being used to do this kind of routing decision, unless you are connecting directly to them via VPN + BGP, and even then the decision is made on the on-premise devices.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events