This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
oli139405
Participant
Friday

VSX Cluster R81.20 with Virtual Router: Best Practice for Dual ISP / Multi-WAN Configuration

Hello CheckMates,

I am working on a Check Point VSX Cluster R81.20 design and I need confirmation about the correct way to configure dual ISP / multi-WAN when the Internet edge is built with a Virtual Router.

Current topology

I have one VSX Cluster with two physical members:

CP1
CP2

I have two ISP routers:

CSR1 - ISP1
CSR2 - ISP2

The cabling is:

CSR1 ISP1 link 1  -> CP1 eth2
CSR1 ISP1 link 2  -> CP2 eth2

CSR2 ISP2 link 1   -> CP1 eth5
CSR2 ISP2 link 2   -> CP2 eth5

The VSX design uses a Virtual Router as the Internet/interconnect point, and the Virtual Systems are connected to this VR with warp links.

What I tried

In the VSX Cluster object properties, I expected to find:

Other > ISP Redundancy

but this option does not appear.

I understand that classic ISP Redundancy appears on regular Security Gateway / Security Group objects, but not on my VSX Cluster object.

Then I tried to add a second default route in:

VSX Cluster / Virtual Router > Topology > Add Default Route

but the GUI only gives me one place to enter a default gateway. I currently have one default route like:

0.0.0.0/0 -> 10.215.215.4

When I try to add another default route for the second ISP, SmartConsole does not give me a second default gateway field.

Questions

  1. In a traditional VSX Cluster with a Virtual Router, is it expected that Other > ISP Redundancy is not available?

  2. What is the correct supported design for dual ISP in this case?

  3. Should I configure:

    • one Virtual Router with eth2 and eth5,

    • one default route,

    • and then use Advanced Routing / Source-Based Routing for traffic that must exit through the second ISP?

  4. Or should I create two Virtual Routers, for example:

VR-ISP1
  eth2
  default route -> ISP1 CSR

VR-ISP2
  eth5
  default route -> ISP2 CSR

and then connect the relevant Virtual Systems to the appropriate VR?

  1. If I need automatic failover between ISP1 and ISP2 in VSX, what is the recommended method?

    • Static routes with different priorities?

    • Dynamic routing with the ISP routers?

    • Source-Based Routing?

    • Another supported VSX method?

Important detail

Each ISP is connected directly to both cluster members:

ISP1: CP1 eth2 + CP2 eth2
ISP2:  CP1 eth5 + CP2 eth5

Any guidance, best practices, or supported configuration examples for multi-ISP on VSX Cluster with Virtual Router would be appreciated.

Thank you.

0 Kudos
1 Reply
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
Friday

Using virtual routers is uncommon...

Static routes with different priorities? Not supported with VSX per sk79700

Dynamic routing with the ISP routers? Yes - BGP

Source-Based Routing? Supported per sk79700

Another supported VSX method? Virtual System with Dynamic Routing (BGP)

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events