Looking to remove the CPE Routers from the Network and plug a Check Point Cluster in place of them
As such would have 2 WAN Circuits with 1 Circuit going directly into each member of the Cluster.
Hopefully the attached diagram shows clearly enough what looking for.
WAN Interface would then be static IP assigned but each member would be separate IP Range and be marked as Monitored Private so that no Cluster IP as only exists on that member.
As not Clustered then cannot use the ISP Redundancy to publish the WAN Circuits as each member only see's it's own WAN Circuit. and ISP Redundancy requires that both members can see the Next Hop for each Connection which is not true here.
Marked as Monitored Private so that if fails then the Cluster fails over to the other Member and traffic goes out via the other WAN Circuit.
LAN Side would be clustered so traffic goes to the Active Member and out via that WAN Circuit.
Traffic wise then from a pure Routing/Firewall then works in that traffic goes out to the Internet and seen as the WAN Circuit IP address that leaves. Disconnect the WAN on Member 1 and fails over and seen from WAN of Member 2.
However the VPN fails to establish at Phase 1 even though both VPN Systems managed by the same Smart-1 Cloud.
Updated the VPN Link Selection to be by topology for Peers as needs to be either WAN Circuit. Probing doesn't return the WAN Circuit as not a cluster when retrieve it only retrieves the LAN Cluster IP so can't use the Member IP. Source is using IP of chosen Interface so would expect that uses the WAN Circuit IP. Have updated the cert for the Cluster with the WAN Circuit IP addresses as well and published to the Cluster and also the VPN Gateway wanting to connect too.
However despite using Certificates and a Common Management System then P1 of the VPN just will not establish.
Wandering if anyone else tried this and if so what tweaking had to be done on the Cluster Object to make it work.
Nearest I can find to this topology wise in the Documentation is the the Gaia Active-Active ClusterXL for where Cluster Members located different locations and thus separate Interfaces however that states does not support the VPN Blade so not sure if this going to be the issue here in that when VPN from a Cluster then has to be a Clustered Interface so along with the ISP Redundancy requiring the interfaces to be Clustered does make me question if this is even possible with non-Clustered interfaces.
Whilst initially looking at SMB Boxes then if needs to be Full Gaia ie 3000 series then it wouldn't be impossible.
Appreciate any feedback shared with how people got on with achieving this.
Michael