We're in the process of migrating from a traditional DC network to ACI, with a pair of ClusterXL HA CheckPoint SG as the gateway. The SG is currently at R77, but we're also about to upgrade to R80.
We're about to move all gateway to the Cisco ACI (leaving only one logical sub-interface connecting the ACI leaves to the SG, as a requirement of PBR). On the SG there's gonna be only one default route out.
As traffic is gonna be entering and exiting on the same sub-interface, just want to ask if CheckPoint does support this "one-armed" topology? As far as I know, CheckPoint has an Anti-Spoofing feature - how does it affect the networks behind the sub-interface, as they will not be directly connected to the CheckPoint SG anymore?
Also, will changing interfaces affect the existing security rules? I know that Palo Alto is OK with this, Cisco ASA doesn't like that so much, but how does the CheckPoint SG act upon the firewall rules in response to topology change?