- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hi All,
I have a setup with two virtual systems and internal and external virtual-switch
My two vsys has dedicated interface.
VSYS-1
Eth-6 -> 192.168.2.12/24
VSYS-2
Eth-7 - 192.168.3.12/24
I have enabled route propagation on both interfaces and these two vsys has connectivity with both internal and external vswitch.
But I am not able to see propagated routes in both vsys.
I am using R80.40 at the moment.
Please assist where the problem can be.
Thank You
Which JHF take is installed on the system?
Are all routes you expect to be propagated not present or just some specific ones?
Refer also: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_VSX_AdminGuide/Content/Topic...
( Please note R80.40 is EOL and you should consider upgrading in the near term ).
Has each gateway had its policy installed recently, how long has each been up?
Can we please also see the following output from each VS.... the topology seems not correct.
netstat -rn
ip route get x.y.z.0
@an_technical I believe your topology is a little bit wrong. You have a layer 2 connect between both VS via 2 virtual switches. That‘s ok, but all attached interfaces are on different IP subnets, so no routing is possible between VS1 and VS2 and vice versa. And additional you have always two connects between both VSs, this must be observed with priorities.
I believe you‘re talking only about route propagation via the route configuration settings in the VS object not any other dynamic routing protocol like OSPF or BGP …?
Im not vsx guru by any means, but purely from routing perspective, makes total sense.
Andy
Thanks @Wolfgang : Yes you are right. I corrected the interface IP on wrp interface and I see route is propagated now. I am propagating the internal segment routes but these are propagated through external vswitch.
I am not able to find anything where we can propagate these through internal switch. Any suggestions pleas?
No option to do it via topology?
Andy
I can add manual static routes by disabling route propagation but we have large number of routes.
@an_technical you have a redundant connection between both VS, with VSX route propagation there is no way to differentiate an prioritize. You can remove one of the vswitches or you have to define the routes manually.
With vsx_provisioning_tool you can define a large range of routes via script.
Note sure if it behaves differently in newer supported versions without testing, refer also:
Is there any known issue on R81.20 Version 631?
Not to my knowledge. Which JHF?
I agree with Chris 100%. You should upgrade to officially supported version, which is at least R81.10 at the moment, but I would recommend R81.20 if possible.
Andy
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 18 | |
| 16 | |
| 13 | |
| 11 | |
| 10 | |
| 7 | |
| 7 | |
| 6 | |
| 6 | |
| 4 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY