This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Giridhar_Sasidh
Participant
‎2018-02-27 11:38 AM

Multi Entry point configuration(MEP) addition into existing primary and secondary tunnel

Multi Entry point (MEP) with externally managed gateways as central gateways in star community..

 

Scenario:

Please go through the attached diagram..

Existing Tunnels primary from FW A to FW C

Secondary from FW B to  FW C

Presently using NAT ips to connect through secondary tunnel..

 

As client segment size has increased to /16 and NAT cannot be done and due to internal WAN conflicts new FW D is placed.

Requirement is to add a new FW D and build MEP to externally managed gateways FWs A and B  which has existing tunnel to communicate with Client FW C..

A and B are externally managed Gateways.. Is this possible to do it using MEP till hub location fws A and B for failover and after that take the existing tunnel from fw A and B ..PFA Diagram..

Please share some thoughts if anybody done MEP.

Preview file
52 KB
0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2018-03-02 07:21 PM

Your diagram and your text contradict each other.

Your text above says GW A and B are externally managed

Firewall C is listed as an interoperable device in your diagram--which also implies externally managed.

Which gateways are managed by you in this diagram?

Is your expectation for hosts behind Firewall D to also reach hosts behind Firewall C through the VPN with A and B?

0 Kudos
Giridhar_Sasidh
Participant
‎2018-03-02 10:16 PM
In response to PhoneBoy

Hi,

Thanks for the query..

Fw A,B and D are managed by us.. But unfortunately all 3 are in different managements.. means in 3 different managements..  A and B are hub location firewalls and have existing tunnels with an interoperable device..

So the requirement is to happen autofailover in tunnel towards A and B from FW D and reach FW C(managed out of organization)  without outage..

For firewall D gateway fw A and B are extenally managed gateways..

Hope this makes clear..


Thanks,

Giridhar

0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-03 01:47 PM
In response to Giridhar_Sasidh

Thanks, it makes it much clearer.

How is the VPN between A>C and B>C done today?

Is it done with route-based VPNs or are you using regular communities with fixed encryption domains?

0 Kudos
Giridhar_Sasidh
Participant
‎2018-03-04 12:40 AM
In response to PhoneBoy

Hello,

A to C and B to C are regular fixed community vpns..

 As MEP probing is done using port 259... Does that port need to be enabled between gateways D and A also D and B.. ?


0 Kudos
PhoneBoy
Admin
Admin
‎2018-03-04 08:55 AM
In response to Giridhar_Sasidh

I know MEP only works with Check Point VPN endpoints (which means it's not relevant for A>C or B>C).

What I don't know is whether or not it works with externally managed Check Point gateways.

In which case you may need to do this with route-based VPNs.

0 Kudos
Giridhar_Sasidh
Participant
‎2018-04-02 10:04 PM

It works with externally managed checkpoint gateways... Yes.. route based vpns are the only options with other vendors.. for autofailover..

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events