When I run  zdebug I could not see any drop.  Smartlog show just showing  log of mgmt interface.

Why do you think it won't work with a single interface? After all, that's what LACP is for. Even with a single interface, LACP will ensure that packets pass through one line.

The key point here is whether Check Point interferes with L2 traffic. For example, if it can only recognize IPv4, IPv6, and ARP traffic but not all traffic types, then that might be a reason for LACP not to work. Otherwise, I don’t see why it shouldn’t work. We can discuss this further

May be following solution will be help me, what about think?

Allow / Drop Ethernet Frames with Specific Protocols

By default, Security Gateway in the Bridge mode allows Ethernet frames that carry protocols other than IPv4 (0x0800), IPv6 (0x86DD), or ARP (0x0806) protocols.

Starting in R77.10, administrators can configure a Security Gateway in the Bridge mode to accept or drop Ethernet frames that carry specific protocols.

Note: In a cluster environment, this procedure must be performed on all members of the cluster.

Are you suggesting I do LACP on Checkpoint?

Hi @Madmaks 

And I think if you do a TCPDUMP on the CP, you see nothing.

Yes, you need to do a BOND on CheckPoint site:

Why?

Because the CheckPoint site can't negotiate on LACP, because neither the ETH4 nor ETH5 is not a member of a bond (LACP group). How can the "talp" LACP if is not configured? 

Go further: if they never negotiate on LACP the traffic won't flow on a degradeted bond. This is my experience

Configure a simple bond, and see what happen. 

Akos

Yes, I technically understand everything you mentioned.

Initially, I thought the same, but then I considered that if the Check Point is in bridge mode, it should also forward the LACP negotiation (L2) packets required for the link aggregation to work.

However, from what I understand now, in bridge mode, the Check Point does not forward these LACP negotiation packets, meaning it doesn't fully function as a true bridge.

Alright, I'll try what you suggested. Thanks

Hi @Madmaks 

Yes I understood. and thanks for understanding me. 

I think here is where the dog is buried:

When an IEEE 802.3ad aggregation is configured, link aggregation control protocol data units (LACPDUs) are exchanged between the server machine (host system) and the adjacent switch. Only the active channel, which could be either the primary channel or the backup adapter, exchanges LACPDU with the adjacent switch.

This is what doesn't happen.

Please keep me updated 🙂

Akos

Thanks for your explanation.  I want to ask you something. Do you think another vendor (I prefer not to mention the name) doing a PoC with this customer could have accomplished this using the virtual wire feature? Do you have any thoughts on this. 

Hi @Madmaks 

I know this vendor, but I am not familiar with ther products. IEEE 802.3ad is a standard, and I thing nobody can bypass it. Rules are rules. 🙂

Akos

Based on this logic, do you think I also need to define the VLANs under the Bridge interface (Br1 and Br2) as Br1.100 and Br1.200, for example?

No you don't need to configure VLAN.

Check this SK: https://support.checkpoint.com/results/sk/sk34312

Akos

thank you.

Btw I found this link 🙂 

https://community.checkpoint.com/t5/Security-Gateways/Is-that-possible-to-bypass-LACP-in-CheckPoint-...

But our brainstorming was worth the time. :-).  I said the same with my words 🙂

Every word of Timothy are gold 🙂

Thank you again.  

In fact, if there is such an SK (https://support.checkpoint.com/results/sk/sk34312), there should definitely be an SK related to the topic we discussed as well.