Create a Post
Showing results for 
Search instead for 
Did you mean: 

VPN tunnel failover from 4G interface

Hi, Everyone

I would like to share the solution to the issue which faced regarding SMB 1590 appliances with 4G as redundant interface.

The issue is:

"If you have 4G redundant interface and Site-to-Site VPN tunnel configured then in case of failover to 4G interface and fail-back to the main WAN interface, all the connections will be migrated back to the main WAN interface except VPN connection which will continue working through 4G interface thus producing additional costs from 4G operator"

Check point has confirmed that it is an expected behaviour so we had to search for a workaround.


1. First I prepared the bash script to check messages log for an event of WAN connection is up again and based on that restart 4G interface to failover 4G connection back to the primary ISP (also attached):


#!/bin/bash -f
source /pfrm2.0/opt/fw1/conf/

# Get the current timestamp
current_timestamp=$(date +%s)

# Subtract 1 minutes (60 seconds) from the current timestamp
timestamp_1min_before=$((current_timestamp - 60))

# Convert the timestamp to the desired format
time_1min_before=$(date -d "@$timestamp_1min_before" +"%Y %b %d %H:%M:%S")

# Path to the log file

# Pattern to search in the log file
search_pattern="Internet connection \"Internet1\" is active now"

# Iterate through the lines of the log file
while read -r line; do
    # Extract and format the timestamp from the line
    line_year=$(echo "$line" | awk '{print $1}')
    line_month=$(echo "$line" | awk '{print $2}')
    line_day=$(echo "$line" | awk '{print $3}')
    line_time=$(echo "$line" | awk '{print $4}')
    if [ "${#line_day}" -eq 1 ]; then
    time_line="$line_year $line_month $line_day $line_time"

    # Check if the line timestamp is within the last 1 minutes
    if [[ "$time_line" > "$time_1min_before" ]]; then
        # Check if the line contains the search pattern
        if [[ "$line" == *"$search_pattern"* ]]; then
            # Run the clish command
            ifconfig cell0 down
            ifconfig cell0 up   
done < "$log_file"


 2. Then I configured cron job to run script every minute:

  1. Login to Winscp
  2. Open the new session with the SMB firewall.
  3. Upload the file to path /usr/bin/
  4. Login to SMB Firewall using SSH.
  5. Go to Expert mode.
  6. Go to Path /usr/bin/
  7. Change the permissions of the file using the command below.

chmod u+x

  1. Run the below command.

crontab -e

  1.    Add the new line to run the 4G Script as below,

*/1 * * * * /usr/bin/

  1.  Save the file.

This workaround ensures that Site-toSite VPN tunnel will failover to the primary ISP in no more than a minute after primary ISP become active.

Hope this helps!

3 Replies



Thank you!😀

0 Kudos

Thanks for sharing this solution!


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events