This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Perry_McGrew
Collaborator
‎2025-06-16 10:33 AM

P2P VPN Star Community - Link Selection Mode

All our CP devices are R82 JHF 19.   We have 7 CP 3200's deployed, each as a Star Community that are P2P VPN to our corporate Data Center 5800 HA Cluster.

I have been reading up on how to set these 3200's up as MEP to be able to failover to our Service Provider's DRaaS site where they use a Fortigate Firewall.  A whole other headache! 

We have been using CP for close to 20 years. Just doing upgrades and appliance replacements as they reach EoL.  So I am looking at these VPN Star Communities settings and see the choice in Link Selection Mode.  Of course, all our CP3200's are set to Legacy vs Enhanced (Recommended) - where the "i bubble" states for better interoperability, redundancy, and granularity.  

So I am looking to make this eventual MEP configuration easy as possible and wondering if the Link Selection Mode needs to be changed or just should be regardless.  

Can I just change the CP3200 Link Selection setting to Enhanced and install policy or are there other settings that I should be aware of.   I don't have a test CP3200 I can try and have not found any SK's on details with Link Selection Mode.   

Labels
0 Kudos
6 Replies
the_rock
MVP Gold
MVP Gold
‎2025-06-16 11:02 AM

Hi Perry,

That enhanced setting does exactly what it says, what you described. As far as MEP, thats more less the same as in previous versions. Personally, I would change the mode to enhanced and then enable MEP as required.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

0 Kudos
Perry_McGrew
Collaborator
‎2025-06-17 04:09 AM
In response to the_rock

Andy,

Thanks for the reply.   First we are R82 and I have read the R82 VPN Admin Guide.  There is only 1 external, internet facing connection on these CP3200s.  So I am trying to understand if there is any benefit to change from Legacy to Enhanced.  I am always wary about changing a setting like this and not "seeing" what other settings need to change.

As for MEP, pretty sure I will need Implicit MEP that I specify the Priority - our corporate 5800 HA would be "Primary" and the D/R site's Fortigate (interoperable device) would be "Backup".  The docs become confusing when discussing defining the VPN domain.  In D/R situation, our servers and Internet would be up at the D/R site.  On pg 203, Config Implicit MEP,  it implies the backup Gateway is a CP device...   

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-17 04:39 AM
In response to Perry_McGrew

Is there any benefit? I would say better communication and less possibility of failures with clould and 3rd party vendors. As far as MEP, implicit is used if vpn domains are overlapping.

Andy

0 Kudos
Perry_McGrew
Collaborator
‎2025-06-18 03:31 AM
In response to the_rock

I posed the question to TAC and they responded with what I figured the answer after reading the R82 VPN Admin Guide.  

"If your gateway has only a single interface connected to the Internet, Enhanced Link Selection does not provide any significant benefit. "

So its back to unraveling how to set up Implicit MEP with a 3rd party Firewall as the Backup P2P VPN site.  .  

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2025-06-18 03:56 AM
In response to Perry_McGrew

I agree with TAC, thats definitely true. I could be mistaken when I say this, but in my mind, MEP config should work regardless of how many external links are present.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2025-06-17 10:55 AM

The Enhanced Link Selection allows for scenarios that are difficult to achieve with the Legacy options.
You have to explicitly configure it, though: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SitetoSiteVPN_AdminGuide/Content/T... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events