Re: P2P Config compatibility in Active/Standby Clu...

SriNarasimha005 · ‎2025-10-20

Hi Experts,

We're planning to replace a Cisco ASA firewall with the Checkpoint firewalls which has P2P link connected. The requirement is that Checkpoint firewalls in HA (Active/Standby) should be able to support the P2P link configuration.

Below is the overview of the architecture. Is this a correct design?

Vendor Firewall (Source) -> P2P link -> Cisco Switches -> Checkpoint firewalls -> Application (Destination)

With regards to the ISP redundancy, I'm unable to find any in R81.X and the last one is related to R80.40 (ISP Redundancy on a Cluster)

1. I believe P2P link configuration is similar to the ISP redundancy. Is my understanding correct?

2. If yes, can you please let me know if the newer versions supports ISP Redundancy on a Cluster?

3. As described in the R80.40 documentation, I don't have any default route towards Internet to monitor the next hop IP. Rather, specific traffic is being allowed towards the core network from the vendor side with the return route. Is it a correct config/design to support ISP redundancy?

Thank you.

PhoneBoy · ‎2025-10-20

We don't support configuring PPPoE with ClusterXL: https://support.checkpoint.com/results/sk/sk101747
Also, ISP Redundancy usually involves multiple Internet connections with a default route.

SriNarasimha005 · ‎2025-10-20

Hi @PhoneBoy

Thanks for the information. Does it support on a checkpoint over a standalone firewall?

Please note that the links are getting connected to the switch as highlighted.

Thank you.

the_rock · ‎2025-10-20

Personally, I would get an official confirmation from your local SE and TAC.

Best,
Andy
"Have a great day and if its not, change it"

Chris_Atkinson · ‎2025-10-20

Do you mean P2P in the context of OSPF configuration or something else?

CCSM R77/R80/ELITE

SriNarasimha005 · ‎2025-10-20

@Chris_Atkinson wrote:
Do you mean P2P in the context of OSPF configuration or something else?

This is P2P link and not related to OSPF

the_rock · ‎2025-10-20

As Phoneboy said, its PPPOE?

Best,
Andy
"Have a great day and if its not, change it"

SriNarasimha005 · ‎2025-10-21

Hi @the_rock @PhoneBoy

Sorry for the confusion. P2P it's a wider term which has been used and it's not a PPPoE. It's a MPLS/Metro-E private link with RJ-45 ports, UTP cables being used.

With the attached design, I believe it'll automatically provide redundancy in the scenarios if any of the link/switch/firewall goes down. I'm happy to be corrected 😊

the_rock · ‎2025-10-21

Ah, point 2 point you mean 🙂

Best,
Andy
"Have a great day and if its not, change it"

emmap · ‎2025-10-21

I think the short answer would be that we would recommend an alternate HA solution here, but would need a more complete understanding of the setup to fully settle on how to do it. Probably best to chat to your local sales office about options here.

PhoneBoy · ‎2025-10-21

Why wouldn't you just configure static routes for the relevant network(s) on both gateways in this case?
This would need to be done anyway to ensure that traffic doesn't get lost when a failover occurs on the cluster.

the_rock · ‎2025-10-21

Makes total sense.

Best,
Andy
"Have a great day and if its not, change it"

Are you a member of CheckMates?

P2P Config compatibility in Active/Standby Cluster