We are going to implement new CheckPoint clusters to replace the ageing Juniper firewalls. I was going to install 2 HA Active-Passive clusters, each with 2 IP addresses + VIP per WAN link but the ISP's design does not allow this.
ISP is suggesting the following:
- Site1 GW1 uses the Active Layer3 link with IP address a.a.a.x/31 for internet access
- Site1 GW2 uses the Active Layer3 link with IP address b.b.b.x/31 for connections between sites via IPSEC
- Site2 GW1 uses the Active Layer3 link with IP address c.c.c.x/31 for internet access
- Site2 GW2 uses the Active Layer3 link with IP address d.d.d.x/31 for connections between sites via IPSEC
(Apparently "on Juniper you can use a WAN link on the Active member, and another active WAN link on the Passive member")
If you ask me, this cannot be done in a CheckPoint Active-Passive setup. At a minimum I'll need an Active-Active load sharing cluster, but then I imagine I'll run into issues using different subnets on the WAN interfaces of each cluster member.
What is your opinion? Any suggestions?