This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
SriNarasimha005
Collaborator
‎2025-10-20 10:12 AM

P2P Config compatibility in Active/Standby Cluster

Hi Experts,

We're planning to replace a Cisco ASA firewall with the Checkpoint firewalls which has P2P link connected. The requirement is that Checkpoint firewalls in HA (Active/Standby) should be able to support the P2P link configuration.

Below is the overview of the architecture. Is this a correct design?

Vendor Firewall (Source) -> P2P link -> Cisco Switches -> Checkpoint firewalls -> Application (Destination)

With regards to the ISP redundancy, I'm unable to find any in R81.X and the last one is related to R80.40 (ISP Redundancy on a Cluster)

1. I believe P2P link configuration is similar to the ISP redundancy. Is my understanding correct?

2. If yes, can you please let me know if the newer versions supports ISP Redundancy on a Cluster?

3. As described in the R80.40 documentation, I don't have any default route towards Internet to monitor the next hop IP. Rather, specific traffic is being allowed towards the core network from the vendor side with the return route. Is it a correct config/design to support ISP redundancy?

Thank you.

Preview file
39 KB
0 Kudos
11 Replies
PhoneBoy
Admin
Admin
‎2025-10-20 01:16 PM

We don't support configuring PPPoE with ClusterXL: https://support.checkpoint.com/results/sk/sk101747
Also, ISP Redundancy usually involves multiple Internet connections with a default route.

SriNarasimha005
Collaborator
‎2025-10-20 04:24 PM
In response to PhoneBoy

Hi @PhoneBoy 

Thanks for the information. Does it support on a checkpoint over a standalone firewall?

Please note that the links are getting connected to the switch as highlighted.

Thank you.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-20 04:10 PM

Personally, I would get an official confirmation from your local SE and TAC.

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-10-20 05:37 PM

Do you mean P2P in the context of OSPF configuration or something else?

CCSM R77/R80/ELITE
0 Kudos
SriNarasimha005
Collaborator
‎2025-10-20 06:59 PM
In response to Chris_Atkinson

@Chris_Atkinson wrote:

Do you mean P2P in the context of OSPF configuration or something else?

This is P2P link and not related to OSPF

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-10-20 07:03 PM
In response to SriNarasimha005

As Phoneboy said, its PPPOE?

Best,
Andy
0 Kudos
SriNarasimha005
Collaborator
‎2025-10-21 12:18 AM
In response to the_rock

Hi @the_rock @PhoneBoy 

Sorry for the confusion. P2P it's a wider term which has been used and it's not a PPPoE. It's a MPLS/Metro-E private link with RJ-45 ports, UTP cables being used.

With the attached design, I believe it'll automatically provide redundancy in the scenarios if any of the link/switch/firewall goes down. I'm happy to be corrected 😊

the_rock
MVP Platinum
MVP Platinum
‎2025-10-21 01:44 AM
In response to SriNarasimha005

Ah, point 2 point you mean 🙂

Best,
Andy
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2025-10-21 02:29 AM
In response to SriNarasimha005

I think the short answer would be that we would recommend an alternate HA solution here, but would need a more complete understanding of the setup to fully settle on how to do it. Probably best to chat to your local sales office about options here.

0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-21 11:57 AM
In response to SriNarasimha005

Why wouldn't you just configure static routes for the relevant network(s) on both gateways in this case?
This would need to be done anyway to ensure that traffic doesn't get lost when a failover occurs on the cluster.

the_rock
MVP Platinum
MVP Platinum
‎2025-10-21 12:04 PM
In response to PhoneBoy

Makes total sense.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events