This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HighTech
Explorer
‎2024-08-21 05:01 PM

Checkpoint site to site VPN to Sonicwall (Sonicwall has two ISP links)

Hi Geeks!

Is it possible to have VPN redundancy between Checkpoint and 3rd party gateway having two WAN IPs. I have the following use case (Diagram attached):

  • Checkpoint cluster r81.40 with one ISP link
  • Sonicwall firewall with two ISP links
  • VPN domain based is already established between CP and Sonicwall WAN1 link
  • Sonicwall is configured for VPN redundancy through both WAN links

Is there a way to configure CP to use tunnel through WAN1 as primary and tunnel through WAN2 as secondary link for the VPN ?

Thanks in advance!

image (2).png
Preview file
33 KB
0 Kudos
9 Replies
the_rock
Legend
Legend
‎2024-08-22 05:42 AM

Thanks for the details explanation, makes it way easier to help @HighTech , fantastic job!

Now, here is my "reckoning" for the lack of a better term lol

So, logically, Im fairly sure you can do this, but you need to make sure link selection is configured properly. So, in your case, since CP has only 1 link, tunnels would always "terminate" on same external IP. Now, technically, since Sonicwall has 2 ISP links, you really would need to have 2 separate VPN tunnels. In that case, Im thinking link selection could look something like below...

Let me know if that makes sense. If not, we can do remote and go through it, if you are allowed to.

Andy

Screenshot_1.png

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 05:45 AM

One other thing I thought of...see, on CP side, you can only really choose the IP of the interoperable object (in this case Sonicwall) by setting the right address in smart console for the object itself, NOT via link selection, thats more for Check Point fw (cluster). Having said that, thats why Im thinking having 2 tunnels would make most sense, to me anyway. But, lets see what other boys and girls have to say 🙂

Andy

0 Kudos
HighTech
Explorer
‎2024-08-22 05:56 AM
In response to the_rock

Hi @the_rock ,

Thanks for your feedback! I am thinking of having two tunnels too (add two gateways aka interoperable devices as sattelite gateways in the same community), it seems so logical. However, in case of the two peer IPs being UP, how will CP know what tunnel to use for the VPN traffic since both gateways have the same encryption domain ?

Thank you.

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 06:02 AM
In response to HighTech

You are 100% right, agree...but, Im thinking it may make more sense to have say 2 separate vpn tunnels, but then one way to do it would be to either disable vpn rule for 2nd tunnel OR take out interoperable object out of 2nd vpn community, so only 1st one would be operational.

But then again, if 1st one fails, failover would not be automatic, as you would need to add interoperable object into 2nd community manually.

Anywho, lets see what others say, hopefully there is better way...

Andy

0 Kudos
HighTech
Explorer
‎2024-08-22 06:06 AM
In response to the_rock

So that means there is no way to have the failover automatic just like other firewalls.. (Cisco ASA, fortigate..)

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 06:18 AM
In response to HighTech

Im not aware of an easy way myself, or any way for that matter, but maybe someone else is...lets see.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 07:07 AM
In response to HighTech

Personally, just to get an official statement, might be worth TAC case.

Andy

0 Kudos
Alex-
Leader Leader
Leader
‎2024-08-22 07:44 AM
In response to HighTech

Use Route-based VPN instead of Domain-based VPN for more control.

0 Kudos
the_rock
Legend
Legend
‎2024-08-22 07:46 AM
In response to Alex-

Not sure @Alex- that would change automatic failover scenario @HighTech wants to achieve.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top