I have a question to the feature "propagate route to adjacent Virtual Devices".
Lets assume we have three external vs: Inbound-vs, Outbound-vs and VPN-vs
This three VS are in a vSwitch sandwich, one vSwitch for the external subnet and one for internal transit LAN leading to internal VS with internal networks.
The question is now: How does Check Point decided through which of the two vSwitch traffic is routet from one DMZ to the other? (Random, vs-id, higher ip, ...)
In our setup the routes are propagated through the external vSwitch. This works as consequently for all interfaces the external vSwitch is chosen and no asynch routing occurs. From a security point of view and also architectural considerations, this is not the desired path. For example traffic is coming encrpyted over VPN to the VPN-vs and is sent clear text over the external interface to the DMZ of the Outbound-vs. Assuming the two vs are on another physical VSX host, the traffic is sent over a physical switch, which is exposed to the internet. Not so good.
Of course, we could disable the feature and manually route through the internal transit vSwitch. As of now, it looks like we have to go that way.
Is there a way to force check point to choose the internal vSwitch for the propagated routes?
Imho check point should never use an external interface to route traffic. The information, that these interfaces are external is given in the topology. That might be an RFE.
What do you think about the topic?