This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tub92
Explorer
‎2025-12-23 08:43 AM

Site-to-Site BGP VPN to Azure on Check Point VSX (R81.20) – step-by-step guidance needed

Hello everyone,

I’m looking for help configuring a Site-to-Site IPsec VPN with BGP between an on-prem environment and an Azure VPN Gateway, using Check Point VSX running R81.20.

🔹 General scenario

Firewall: Check Point VSX – R81.20

Environment: two separate VSX deployments

  • Primary site
  • Disaster Recovery site

Azure side: Azure VPN Gateway with BGP enabled

VPN type: S2S IPsec + BGP

🔹 VSX details

Each VSX hosts multiple Virtual Systems

The new VPN must be configured inside an existing VS context

In the same VS, there is already another working BGP S2S VPN

That existing BGP VPN was:

  • originally created on a non-VSX firewall
  • later migrated via CLI, without a full SmartConsole-based configuration

Therefore, I have no direct experience configuring a full BGP VPN natively inside VSX from scratch.

🔹 Objective

Create a new S2S BGP VPN to Azure

Configure it on both Primary and DR VSX sites

Ensure that all traffic prefers the Primary site

DR site must be used only in case of failure

I need guidance on:

  • Proper IPsec + BGP configuration on VSX
  • Route redistribution and traffic preference
  • Avoiding unwanted active/active routing

🔹 Specific questions

I’m looking for a step-by-step guide covering:

IPsec S2S VPN configuration on VSX (SmartConsole and/or CLI)

BGP configuration inside a Virtual System:

  • AS numbers
  • Correct interfaces (VTI / interface-based VPN)

Best practices for:

  • Route redistribution (static ↔ BGP)
  • Primary site preference (BGP metrics, AS-PATH, MED, Local Preference, etc.)

Proper handling of:

  • Dual tunnels (Primary + DR)
  • Clean failover without asymmetric routing

Any VSX-specific limitations or considerations in R81.20

Any real-world examples, official documentation references, or design recommendations would be greatly appreciated.

Thank you in advance!

Labels
0 Kudos
11 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-12-23 04:35 PM

Let me look for it, Im sure I have something. 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-23 05:06 PM
In response to the_rock

@Tub92 

See if this helps. Btw, I do have bunch of screenshots and doc for P81 BGP setup, but cant send it, as it has client confidential info (sorry), but happy to answer any questions you may have.

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-12-24 12:00 AM
In response to the_rock

Note the ask is for VSX which differs in configuring the VTI portion etc, for example:

https://community.checkpoint.com/t5/Security-Gateways/VPN-SITE-TO-SITE-CHECKPOINT-VSX-ROUTE-BASED/td... 

CCSM R77/R80/ELITE
0 Kudos
Tub92
Explorer
‎2025-12-24 01:28 AM
In response to Chris_Atkinson

Thank you for your responses.

I can confirm that I cannot follow the first configuration approach, as it needs to be performed within a VSX environment. I have reviewed the documentation related to the vsx_provisioning_tool, but I still have a few concerns.

On the management server, I have both VSX environments connected (production and DR). However, the VS IDs are different between the two environments. For this reason, I am hesitant to use the provisioning tool, as I am concerned it might apply unintended configurations to different VS instances.

Is it possible to perform this configuration directly from the CLI on each individual gateway? This approach would allow me to be as precise and controlled as possible.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-12-24 04:56 AM
In response to Tub92

The naming convention used in the example is likely throwing you off, refer to the admin guide e.g.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_CLI_ReferenceGuide/Topics-CLIG/VSX...

CCSM R77/R80/ELITE
0 Kudos
(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 05:10 AM
In response to Tub92

Never really tried it from cli, but Im sure it is possible. You would just need to run add vpn tunnel commands.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Tub92
Explorer
‎2025-12-24 10:04 AM
In response to the_rock

I also believe that it should be sufficient to run the add vpn tunnel commands on each node and then save the configuration. I will try to proceed this way.

In your opinion, is it also necessary to retrieve the interfaces without topology from SmartConsole, or is this not required in this scenario?

the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 10:06 AM
In response to Tub92

Personally, I always do that. Its good practise, just to be 100% sure there are no issues/misconfigs.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 10:13 AM
In response to the_rock

@Tub92 Personally and again, this is just my own opinion, does not matter its something everyone should be doing, but I ALWAYS found best setting for topology is define network by routes option, as if network changes, its auto updated, just make sure you have correct routing and I also assign needed security zone as well. 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 10:23 AM
In response to Tub92

Example from my lab. For VTI, PLEASE make sure that interoperable object name matches with what you put in interface settings, otherwise, even if one letter is missed or its upper instead of lower case, it will never work. By default, anti spoofing is always disabled on those interfaces, which is totally fine.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-12-24 11:21 AM
In response to Tub92

I logged into one client's clustered master fw and below is what config for VTI would look like in clish. I also attached web UI config as well:

show interface vpnt9
state on
mac-addr Not configured
type vpnt
link-state not available
mtu 1500
auto-negotiation off
speed N/A
ipv6-autoconfig Not configured
monitor-mode Not configured
duplex N/A
link-speed Not configured
comments onprem-sase trunnel
vpn-tunnel-id 9
vpn-peer Vancouver-pop-1
vpn-local-address 169.254.255.11
vpn-remote-address 169.254.255.9
ipv4-address Not Configured
ipv6-address Not Configured
ipv6-local-link-address Not Configured

Statistics:
TX bytes:183 packets:3 errors:0 dropped:0 overruns:0 carrier:0
RX bytes:0 packets:0 errors:0 dropped:0 overruns:0 frame:0

SD-WAN: Not Configured

Here is the key. Say remote side (Azure) is 169.254.1.50

one fw can be 169.254.1.51

2nd 169.254.1.52 and VIP can be .53, as long as its NOT used on remote side, super important.

HTH

Screenshot_1.png

 

 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events