This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
perfect4situa
Participant
‎2025-04-14 06:42 AM
Jump to solution

Centrally Managed Spark: SD-WAN and IoT services

Hi everyone,

I've got a ClusterXL made of two Spark 2000, 3 ISP configured, and all of this is Centrally Managed via Smart-1 Cloud.

Can someone explain if there is any way to configure SD-WAN and IoT protection for free as per Spark appliances Locally Managed?

I can't understand why these services are free to use in a Locally Managed mode and seems to be available only via licence purchase in Centrally Managed mode.

In case this is only available via license may I configure SD-WAN-similar result with static routes for example to redirect all the traffic from one network to a specific ISP or traffic for specific service via specific ISP?

Thank you

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-14 07:15 AM
Jump to solution

sk178604 describes / categorises the difference as SMB vs Enterprise.

Presuming Spark management isn't an option, some of what you describe might be possible with PBR for basic cases.

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
9 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-04-14 07:15 AM
Jump to solution

sk178604 describes / categorises the difference as SMB vs Enterprise.

Presuming Spark management isn't an option, some of what you describe might be possible with PBR for basic cases.

CCSM R77/R80/ELITE
0 Kudos
perfect4situa
Participant
‎2025-04-14 08:05 AM
In response to Chris_Atkinson
Jump to solution

Thank you Chris, I'll try ASAP with a route and if it will work, I'll mark as solution

0 Kudos
perfect4situa
Participant
‎2025-05-22 06:40 AM
In response to Chris_Atkinson
Jump to solution

Hi Chris with my tries I find out that two routes different only in network source and with next hop the same internet connection became static(PBR) and static only. I really don't now why. They seem to work but no correct failover on the default route in case of failure of secondary internet connection in the route.

I'm tryng monitoring the routes but there no clear explanation about the result and at the moment I can't verify if it's working or not...

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-05-22 06:47 AM
In response to perfect4situa
Jump to solution

What you need is something like what is described here but might not exist for Spark:

https://community.checkpoint.com/t5/Security-Gateways/Path-Monitoring-for-Policy-Based-Routing/td-p/...

Failing that I see little choice but to leverage proper SD-WAN license.

CCSM R77/R80/ELITE
0 Kudos
perfect4situa
Participant
‎2025-05-22 07:20 AM
In response to Chris_Atkinson
Jump to solution

In Spark there isn't the option to set pbr... It seems also the monitoring system really don't work. Is there a way to view low-level log about this? I only got this...

Screenshot 2025-05-22 161841.png

0 Kudos
RS_Daniel
Advisor
Advisor
‎2025-05-22 07:02 AM
In response to perfect4situa
Jump to solution

Hi,

If you want the routes to failover automatically, your next hope must be defined using interface, not IP address. Also you connection monitoring must be configured and working properly on your 3 ISP interfaces.

Connection monitoring is a bit tricky i think. For this monitoring consider: Each ISP should monitor different IP address (dns did not work very well for me), each IP address you monitor should have a static route for that corresponding ISP. For example: ISP-1 monitors 8.8.8.8, you should have a static route for 8.8.8.8 using next hope IP address the default gateway for that ISP, it should not failover in case ISP-1 goes down or the monitoring will flap.

Regards

perfect4situa
Participant
‎2025-07-11 07:27 AM
In response to Chris_Atkinson
Jump to solution

In addition to this I'd like to share an update:

- after latest firmware version (81.10.17) internet monitoring starts working correctly (still some problems with pppoe in cluster deployment)

- with internet monitoring working and static route (pbr) the traffic correctly go trough the right selected and in case of wan failure the route became disabled and the eventually default wan available became the gateway for the pbr network

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-07-11 04:50 PM
In response to perfect4situa
Jump to solution

Per sk101747 Pppoe is not supported with a cluster in general however sk181841 suggests there might be an option with Spark that suits some limited scenarios perhaps.

CCSM R77/R80/ELITE
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-04-15 12:33 AM
Jump to solution

We speak of two different SD-WAN blades with different features. Locally and Spark Portal Managed SMBs have SD-WAN for SMBs blade, while centrally managed have the SD-WAN for Enterprise blade (like GAiA GWs) including e.g. VPN overlay. Find more details in https://support.checkpoint.com/results/sk/sk180605

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events