This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
paulocosta
Explorer
‎2024-03-05 12:19 PM

ISP Redundancy and VPN site-to-site

Hi,

 

I need your help. I have this scenarious:

Site1: Managment server with cluster( 2x gateways, and 2 ISP ( A.A.A.A + B.B.B.B) 

Site2: Managment server with cluster( 2x gateways, and 2 ISP ( C.C.C.C + D.D.D.D) 

My questions is: When i make site-to-site VPN with site 1 and 2, i need garanted redundancy of ISP. What is a best pratices for this scenarious?

Thanks

0 Kudos
6 Replies
_Val_
Admin
Admin
‎2024-03-05 02:14 PM

Please read the documentation, I believe it covers what you need. If not, let me know.

0 Kudos
paulocosta
Explorer
‎2024-03-06 01:16 AM
In response to _Val_

Hi _Val_

Thanks for your reply. 

Yes, already read this documentation. Maybe my first post not is a very complete. 

When i create a site-to-site vpn i need create interoperable device (one for a ISP) and put it all in VPN Communitie, because i have two managments servers

Thanks

 

0 Kudos
the_rock
Legend
Legend
‎2024-03-06 04:09 AM
In response to paulocosta

Keep in mind, its NOT supported to use same interoperable object in more than 1 vpn community. As a a matter of fact, if you do that, policy install will fail, 100%. The only way it would work is if you clone existing int. object, give it another name, but then there is no way to differ which community will take presedence and probably only 1 tunnel may show as up, you would not even see the other ones.

Best,

Andy

0 Kudos
_Val_
Admin
Admin
‎2024-03-06 09:27 AM
In response to paulocosta

Why Interoperable? Do Externally Managed GWs. What's the issue, then? 

0 Kudos
paulocosta
Explorer
‎2024-03-06 09:53 AM
In response to _Val_

Hi,

This is scenarios:

ISP_Redundancy.png

I need to create a site-to-site VPN to connect sites 1 and 2. One requirement is: if ISP A.A.A.A has a problem, I need ISP B.B.B.B to maintain a VPN connection.

My question is: When I create a VPN community for connecting site 1 to site 2, as this site has a different management server, how can I tell the Sattelite Gateways that I have 2 possible ISP connections? I need to create 2 written interoperable devices right?

How do you suggest?

0 Kudos
the_rock
Legend
Legend
‎2024-03-05 04:12 PM

See...key here is that even with ISPR configured, other side needs to be aware of say site's 1 both links (same the other way around) and since its NOT supported to have same interoperable object, or in your case externally managed gateways (as its CP) in the same community, personally, I would approach TAC with an official answer as far as best approach.

Maybe simple network diagram may also help us,

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 09 Jul 2024 @ 11:00 AM (CDT)

    Americas: Maestro Migration and Upgrade Best Practices
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London

    Tue 30 Jul 2024 @ 05:00 PM (CEST)

    Under the Hood: CloudGuard Controller Unleashed
    In-Person

    Thu 11 Jul 2024 @ 10:00 AM (BST)

    CheckMates Live London
    CheckMates Events