This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JaySon_2021
Contributor
yesterday

VPN Redundancy without using Dynamic Routing

We have 3 sites. All of them use Checkpoint firewalls (R82.10). We want to have full redundancy between all sites.

Examples:

- If VPN-A goes down, we want Site1 to go to Site2 to get to Site3, and the reverse (Site3 --> Site2 --> Site1)

- If VPN-B goes down, we want Site1 to go to Site3 to get to Site2, and the reverse

Etc.

We want to accomplish this without using Dynamic Routing (OSPF, BGP) as these are not large sites and we want to simplify supporting it.

Is this possible without using Dynamic Routing? Can it be done using Domain Based VPNs?

 

VPN Redundancy.png

0 Kudos
5 Replies
simonemantovani
MVP
MVP
yesterday

In my opinion dynamic routing protocol will simplify your infrastructure my making it more automatic everything.

If you don't want to use route based vpn, but you want to use domain based vpn, you need to manage manually the encryption domain adapting them when a failure occurs (you can't have the network in all the encryption domains for all the firewall in vpn community.

I understand what you write but dynamic routing (BGP) and routed based vpn is the best configuration you can implement.

0 Kudos
JaySon_2021
Contributor
yesterday
In response to simonemantovani

Thanks Simonemantovani

What if I just wanted the following 2 scenarios solved:

- If VPN-A goes down, we want Site1 to go to Site2 to get to Site3, and the reverse (Site3 --> Site2 --> Site1)

- If VPN-C goes down, we want Site2 to go to Site1 to get to Site3, and the reverse

If VPN-B goes down between Site1 and Site2, so be it - we wait for it to come back up. As long as Site1 can still get to Site3 (not routing through it to Site2), and Site2 can still get to Site3 (not routing through it to Site1)

Would this be possible, without Dynamic Routing, and not require manual intervention?

 

0 Kudos
simonemantovani
MVP
MVP
yesterday
In response to JaySon_2021

Without diynamic routing you need manual intervention to adapt the encryption domain to avoid overlapping encryption domain.

0 Kudos
Bryan-Smith
Employee Employee
Employee
yesterday
In response to JaySon_2021

@JaySon_2021, If Site1 loses its direct VPN to Site3, traffic can either stop immediately or automatically reroute via Site2. The behavior depends entirely on whether backup static routes are configured. No dynamic routing is required, but bidirectional route design is critical. 

Backup routing in a Check Point Route Based mesh VPN is achieved by pre‑staging higher‑metric static routes over alternate VTIs and relying on tunnel monitoring to withdraw primary routes during failure. 
 

Check Point's route-based VPN with numbered VTIs makes this feasible because you treat the tunnels like interfaces for static routing. 

As was stated by @simonemantovani this will not work with domain-based VPNs & I would not do this past three sites. Managing all of the static routes in each direction is prone to mistakes. 

0 Kudos
JaySon_2021
Contributor
33m ago
In response to Bryan-Smith

Thanks @Bryan-Smith . Would this be done in a single mesh VPN? Or would each site have a separate Mesh VPN? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Wed 15 Apr 2026 @ 10:00 AM (BST)

    AI Security Workshop - London
    In-Person

    Thu 16 Apr 2026 @ 10:00 AM (CEST)

    AI Security Workshop - Munich
    In-Person

    Wed 22 Apr 2026 @ 08:00 AM (EDT)

    P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Thu 30 Apr 2026 @ 03:00 PM (PDT)

    Hillsboro, OR: Securing The AI Transformation and Exposure Management
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    CheckMates Events