cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Andreas
Iron

VSX route propagation with more then one vSwitch

Hi all

I have a question to the feature "propagate route to adjacent Virtual Devices".

Lets assume we have three external vs: Inbound-vs, Outbound-vs and VPN-vs

This three VS are in a vSwitch sandwich, one vSwitch for the external subnet and one for internal transit LAN leading to internal VS with internal networks.

The question is now: How does Check Point decided through which of the two vSwitch traffic is routet from one DMZ to the other? (Random, vs-id, higher ip, ...)

In our setup the routes are propagated through the external vSwitch. This works as consequently for all interfaces the external vSwitch is chosen and no asynch routing occurs. From a security point of view and also architectural considerations, this is not the desired path. For example traffic is coming encrpyted over VPN to the VPN-vs and is sent clear text over the external interface to the DMZ of the Outbound-vs. Assuming the two vs are on another physical VSX host, the traffic is sent over a physical switch, which is exposed to the internet. Not so good.

Of course, we could disable the feature and manually route through the internal transit vSwitch. As of now, it looks like we have to go that way.

Is there a way to force check point to choose the internal vSwitch for the propagated routes?

Imho check point should never use an external interface to route traffic. The information, that these interfaces are external is given in the topology. That might be an RFE.

What do you think about the topic?

0 Kudos
1 Reply
Admin
Admin

Re: VSX route propagation with more then one vSwitch

A diagram might be helpful to visualize this.
The route that propagates when you use "propagate route to adjacent Virtual Devices" is the wrp interface between the VS and the Switch.
If you have two routes to the same destination using different paths, not sure how it decides which one to use.
In any case, static routes seem like the best idea here.
0 Kudos