This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Gold
MVP Gold
‎2025-07-07 04:17 PM
Jump to solution

Harmony sase vpn redundant vpn tunnel tip

Hey guys,

Figured would share this, since my colleague and I spent lots of hours into testing this with BGP for a client that purchased SASE solution. Since sd-wan is not supported yet and we dont have an idea when it will be with sase, we made it work where redundant vpn tunnels work flawlessly with BGP implemented.

Guide:

https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/SASE-Admin-Guide/Content/Topi...

But, the way to make this work 100% is NOT to set it where you have CP cluster as center gw and interoperable objects presenting sase pops as satellite, but the other way around, where interoperable ones are center and CP is satellite and then you enable MEP and choose middle option (default one, closest choise) in vpn community (should be configured as star)

This works without issues. We will actually show this to CP sase expert, as well as SE guy when we have a call with them, so documentation can be hopefully modified to reflect that, as it would save lots of time for others trying to do the same.

We are using BGP per overlay, since we found works better that way, mind you, using BGP loopback interface does offer better scalability.

Happy to share any screenshots if needed.

Best,

Andy

Best,
Andy
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2025-07-10 04:49 AM
In response to _Val_
Jump to solution

Since we want to make sure this would be officially supported by CP, we asked our SE if sk could be written about it, or at least included in the documentation. Obviously, we dont want client to have an issue say a year from today and then we are told by TAC this is not supported...anyway, lets see what comes out of that, but regardless, screenshots attached : - )

Andy

Best,
Andy

View solution in original post

Preview file
156 KB
Preview file
125 KB
Preview file
162 KB
0 Kudos
6 Replies
_Val_
Admin
Admin
‎2025-07-10 01:15 AM
Jump to solution

Do share the screenshots 🙂

the_rock
MVP Gold
MVP Gold
‎2025-07-10 04:49 AM
In response to _Val_
Jump to solution

Since we want to make sure this would be officially supported by CP, we asked our SE if sk could be written about it, or at least included in the documentation. Obviously, we dont want client to have an issue say a year from today and then we are told by TAC this is not supported...anyway, lets see what comes out of that, but regardless, screenshots attached : - )

Andy

Best,
Andy
Preview file
156 KB
Preview file
125 KB
Preview file
162 KB
0 Kudos
_Val_
Admin
Admin
‎2025-07-10 04:59 AM
In response to the_rock
Jump to solution

Or you can ask TAC about the support status. It is considered an official answer.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-10 05:01 AM
In response to _Val_
Jump to solution

Speaking of that, we figured it would be best to go through our SE, but if you have an email or contact I could present this to, that would work as well.

Thanks Val.

Andy

Best,
Andy
0 Kudos
_Val_
Admin
Admin
‎2025-07-10 05:21 AM
In response to the_rock
Jump to solution

What I mean, you can open a TAC ticket to ask about the support status.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-07-10 05:23 AM
In response to _Val_
Jump to solution

Ah, I see what you are saying. Thats true, we can always do that, but we would definitely prefer that process be documented somewhere officially, so there is no ambiguity.

Anywho, lets see what SE says : - )

Thanks Val as always!

Andy

Best,
Andy
0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events