This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Phianne_C133188
Explorer
Monday

Check Point ElasticXL integration with FortiGate firewall

Hi, I am new to Check Point and I am currently planning for the deployment of two Check Point Quantum Force 9700 Plus Security Gateways running R82 with ElasticXL.

The two Security Gateways will be connected, each by a single link, to a FortiGate 101F firewall. So like:

FG port 1 -> CPSG01 eth2

FG port 2 -> CPSG02 eth2

However I am having difficulties understanding how the interfaces are supposed to be configured.

Based on my understanding, combining the two FortiGate links into a Layer 3 LACP bond is not viable because the two CP links are considered separate (based on this post I read https://community.checkpoint.com/t5/Firewall-and-Security-Management/ElasticXL-Bond-Aggregate-Behavi...).

However, I'm not sure if I can configure the two FortiGate links as a redundant interface (active/backup) either because the SMO might choose the non-pivot member to forward traffic, which means both links on the FortiGate will need to be up. In that case, would ElasticXL detect the active interface automatically and forward traffic over it accordingly?

Would appreciate if anyone has insights into how I could go about configuring the interfaces.

Thanks!

 

0 Kudos
2 Replies
simonemantovani
MVP Silver
MVP Silver
Tuesday

Hello

on my side, is not clear the reason why you want to connect the two check point directly to the Fortigate; you need to put a couple of switches L2 between Fortigate and Check Point.

0 Kudos
Martijn
MVP
MVP
Thursday

Hi,

You are correct. CPSG01 ETH2 and CPSG02 ETH2 need to be connected to access ports on a switch. You cannot create a LACP bond across two appliances unless you are using Maestro.

A active/backup configuration for the links on Fortigate will not work. Both Check Point appliances need to send and receive CCP packets on the interface so they can 'see' each other. 

ClusterXL and ElasticXL require a layer 2 path between the appliances. So unless you can configure port 1 and port 2 on the Fortigate as a switch, you need separate switch to connect both Check Point appliances to the Fortigate.

Martijn

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events