- Products
- Learn
- Local User Groups
- Partners
- More
What's New in R82.10?
Watch HereWhen the Agents Attack
A Live Look at Agentic Exposure Validation
AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
CheckMates Fest
Hi, I trying to achieve vpn redundancy in route based vpn method. Attached the steps I followed to achieve it. It would be helpful if someone from checkpoint verify the configuration and let me know whether the steps are recommended or not. If not, what needs to be changed?
The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.
Usually it's a dynamic routing protocol that's used for redundancy in this case.
Never seen it done with IP Monitoring...not even sure it works.
Have you tested in the lab?
yes.. I have tested it in lab, failover is happening once the link monitor fails and traffic will switch over to secondary vpn within few seconds..
Link monitor concept generally used in other vendors for vpn redundancy between on-premise firewall and AWS/Azure using static routing.. I just tested it on checkpoint and its working..
I would like to know,
is vpn redundancy on checkpoint achievable only by keeping "Empty Group" on VPN domain, either its dynamic routing or static routing with link monitor?
OR
is vpn redundancy on checkpoint can also be achievable by keeping "Specific Network" on VPN domain without using MEP?
Because my customer needs vpn redundancy, but they are concerned about using "Empty Group" on vpn domain..
To use Route-Based VPNs, you typically use an empty encryption domain.
If you have to mix the two on the same gateway, be mindful of the following restrictions: https://support.checkpoint.com/results/sk/sk109340
As to whether your route monitoring will work with a Domain-Based VPN...can't say.
I went through the article and understood if the same encryption domain is used for both route based and domain based vpn, the domain based vpn will take precedence and traffic always routed via domain based vpn.
Also I understood its suggested to use empty encryption domain for route based vpn.
My customer wanted to know, What will be the behavior/impact if same encryption domain(specific IP/network) is used for two route based vpn?
(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-2 (20.0.0.1) VPN community-1
(10.0.0.1) Gateway-1 >>> Route based VPN >>> Gateway-4 (20.0.0.1) VPN community-1
The remote encryption domain should also be defined as empty.
Then this configuration should work (subject to your routing configuration).
Otherwise, I think SmartConsole may throw an error related to overlapping encryption domains.
Got it.. Thanks..
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count |
|---|---|
| 66 | |
| 21 | |
| 8 | |
| 6 | |
| 6 | |
| 4 | |
| 4 | |
| 4 | |
| 2 | |
| 2 |
Thu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealThu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeThu 02 Jul 2026 @ 06:00 PM (CST)
Revolucionando la Seguridad con IA Generativa: Prevención Inteligente en Tiempo RealAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY