This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
sonofgod031
Explorer
‎2022-03-28 07:35 PM

How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

Is it possible to deliver VPN Site2Site with redundancy in VSX deployment using Maestro?

 

Old Firewall (CP 4800) used to connect Site2Site VPN to 3rd Party (CP 2200) with ISP Redundancy (2  ISP's), so that VPN Site2Site have redundancy (automatically failover if 1 ISP is down).


CP 4800 will be replaced with Maestro with VSX deployment, sk79700 says VSX doesn’t support ISP Redundancy.
I saw a thread that says the alternative way to give Redundancy in VPN Site2Site is using PBR Multi Hop and it’s available from R80.30 onwards.
Since Maestro OS is R80.20 SP, I haven’t found SK that declares R80.20SP Supports PBR Multihop, I only found that PBR can be setup in VSX Maestro sk137232.

 

or is there another alternative solution to give Redundancy on VPN Site2Site using VSX? 

 

sk79700 (VSX doesn't support ISP Redundancy):
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Alternative Solution:
https://community.checkpoint.com/t5/General-Topics/PBR-With-Multiple-Tracking/td-p/14462

sk137232 (How to setup PBR in VSX on High Scalable Device)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

#VSX #Maestro #VPN

0 Kudos
7 Replies
_Val_
Admin
Admin
‎2022-03-28 11:54 PM

Could you please specify what exactly you need, IPS redundancy, S2S VPN redundancy, or both?

0 Kudos
sonofgod031
Explorer
‎2022-03-29 11:26 AM
In response to _Val_

I need VPN Site2Site to have automatic failover function (on Maestro with VSX deploymnet), so if the tunnel that goes through ISP1 is down, VPN will automatically failover to ISP2, so downtime can be minimized.

Preview file
12 KB
0 Kudos
_Val_
Admin
Admin
‎2022-03-29 12:42 PM
In response to sonofgod031

According to this diagram, you do need your GW to support ISP redundancy. Now, why Maestro + VSX, if you are coming from 2200 appliance? 

0 Kudos
sonofgod031
Explorer
‎2022-04-04 03:58 AM
In response to _Val_

Customer were running out of budget but was eager to buy Maestro for it's hyperscaling capability, so they wanted firewalls to be deployed as VS, and we forgot if they need ISP Redundancy or VTI/Route-based VPN to give VPN Site2Site redundancy (which is not supported in VSX). CP 2200 is the 3rd Party connected to the customer, it was deployed with VTI tunneling. 

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-03-29 12:26 AM

Given the sunset approaches for R80.20SP please consider adopting R81.10 that has route-based VPN support for VSX.

CCSM R77/R80/ELITE
0 Kudos
sonofgod031
Explorer
‎2022-03-29 11:30 AM
In response to Chris_Atkinson

When is R81.10 will be available for Maestro?

Customer is already using R80.20SP and the Maestro has been implemented in their environment 😅

If this is the only solution, then i can tell them to wait until R81.10 for Maestro to be released.

0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2022-03-30 03:50 AM
In response to sonofgod031

It already is available, refer sk173363

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
 
Upcoming Maestro Events

    CheckMates Events