Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
sonofgod031
Explorer

How to deliver Redundancy for VPN Site2Site on VSX within Maestro?

Is it possible to deliver VPN Site2Site with redundancy in VSX deployment using Maestro?

 

Old Firewall (CP 4800) used to connect Site2Site VPN to 3rd Party (CP 2200) with ISP Redundancy (2  ISP's), so that VPN Site2Site have redundancy (automatically failover if 1 ISP is down).


CP 4800 will be replaced with Maestro with VSX deployment, sk79700 says VSX doesn’t support ISP Redundancy.
I saw a thread that says the alternative way to give Redundancy in VPN Site2Site is using PBR Multi Hop and it’s available from R80.30 onwards.
Since Maestro OS is R80.20 SP, I haven’t found SK that declares R80.20SP Supports PBR Multihop, I only found that PBR can be setup in VSX Maestro sk137232.

 

or is there another alternative solution to give Redundancy on VPN Site2Site using VSX? 

 

sk79700 (VSX doesn't support ISP Redundancy):
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Alternative Solution:
https://community.checkpoint.com/t5/General-Topics/PBR-With-Multiple-Tracking/td-p/14462

sk137232 (How to setup PBR in VSX on High Scalable Device)
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

#VSX #Maestro #VPN

0 Kudos
7 Replies
_Val_
Admin
Admin

Could you please specify what exactly you need, IPS redundancy, S2S VPN redundancy, or both?

0 Kudos
sonofgod031
Explorer

I need VPN Site2Site to have automatic failover function (on Maestro with VSX deploymnet), so if the tunnel that goes through ISP1 is down, VPN will automatically failover to ISP2, so downtime can be minimized.

0 Kudos
_Val_
Admin
Admin

According to this diagram, you do need your GW to support ISP redundancy. Now, why Maestro + VSX, if you are coming from 2200 appliance? 

0 Kudos
sonofgod031
Explorer

Customer were running out of budget but was eager to buy Maestro for it's hyperscaling capability, so they wanted firewalls to be deployed as VS, and we forgot if they need ISP Redundancy or VTI/Route-based VPN to give VPN Site2Site redundancy (which is not supported in VSX). CP 2200 is the 3rd Party connected to the customer, it was deployed with VTI tunneling. 

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Given the sunset approaches for R80.20SP please consider adopting R81.10 that has route-based VPN support for VSX.

CCSM R77/R80/ELITE
0 Kudos
sonofgod031
Explorer

When is R81.10 will be available for Maestro?

Customer is already using R80.20SP and the Maestro has been implemented in their environment 😅

If this is the only solution, then i can tell them to wait until R81.10 for Maestro to be released.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

It already is available, refer sk173363

CCSM R77/R80/ELITE
0 Kudos