I have the same question we have also Vxlan between the sites.
but with Juniper networking instead of Cisco.
We have also a VSX firewall.
or main goal is not to stretch VLANS because of L2 loops and risks. Every company is moving away from L2 stretched vlans when possible.
So very short: Vxlan is routing the Layer 2 packets.
It means that a server S1-X-A in Vlan X on site A will reach another server S2-X-B (Server2 vlan X site B) over the Vxlan routed.
S1-X-A wants to reach S3-Y-A will do this via FW-A and the answer back will go over FW-A
S1-X-A wants toreach S4-Y-B the traffic will go over FW-A and the answer will go over FW-B.
So the main question is how can FW-A and FW-B sync the session to allow this ?
(Knowing that the Sync between FW-A and FW-B can be l2 otherwise no cluster of course)
Cisco ASA firewalls are handeling this via Context and allowing async routing. So if those ugly and basic firewalls are able to do this, it should be good that checkpoint could perform also those actions ?
Because Checkpoint is a software company a lot of his technology has not designed from the routing ideology of today.
all the other vendors are coming with their products from a network perspective. (dynamic routing, lldp, etc...)
So anyone, does it have an idea how I can include the VSX firewalls or other ones (checkpoint) in this type of design ?
We are also looking at it with PS in parallel (since a few months)