- Products
- Learn
- Local User Groups
- Partners
-
More
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
IDC Spotlight -
Uplevel The SOC
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Multi Entry point (MEP) with externally managed gateways as central gateways in star community..
Scenario:
Please go through the attached diagram..
Existing Tunnels primary from FW A to FW C
Secondary from FW B to FW C
Presently using NAT ips to connect through secondary tunnel..
As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.
Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B which has existing tunnel to communicate with Client FW C..
A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..
Please share some thoughts if anybody done MEP.
Your diagram and your text contradict each other.
Your text above says GW A and B are externally managed
Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.
Which gateways are managed by you in this diagram?
Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?
Hi,
Thanks for the query..
Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements.. A and B are hub location firewalls and have existing tunnels with an interoperable device..
So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization) without outage..
For firewall D gateway fw A and B are extenally managed gateways..
Hope this makes clear..
Thanks,
Giridhar
Thanks, it makes it much clearer.
How is the VPN between A>C and B>C done today?
Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?
Hello,
A to C and B to C are regular fixed community vpns..
As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?
I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).
What I don't know is whether or not it works with externally managed Check Point gateways.
In which case you may need to do this with route-based VPNs.
It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY