- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Hello,
Is there any possibility of incorporating some functionalities such as including the Link selection configuration within the VPN community as VPN Domain introduced in R80.40?
Uploaded Image
Within the history of Check Point there is always a problem when you want to build different VPNs with different external links and incorporating such functionality would be a great step to remedy limitations.
We'll be very grateful.
Best regards,
Normally you'd do this based on routing.
That said, I can see having different fixed options for different peers would be useful.
Regardless, I don't believe this is part of R81.20 (but could be wrong).
Yep, Exactly but it would be an improvement to choose the link selection by community VPN of course always Based of Routing. To prevent this type of issues as sk173048.
I hope that will be in roadmap all those features.
Regards,
Correct - This has always been an issue with VPN redundancy with 3rd party devices. Even if Check Point has multiple ISP links we wont able to utilize all those to configure redundant VPN tunnel.
I've been waiting for that feature, because is very difficult to use all external ISP from the customer. Can we have any updates in R81.30 PhoneBoy?
That will fix a link selection issue.
I've been waiting for that feature, because is very difficult to use all external ISP for 3rd Party VPN. Can we have any updates in R81.30?
That will fix a link selection issue.
That is always been a issue and I shifted to other solution when there is such need where I wanted to consume both the ISP links for VPN tunnels.
Hi,
We have a planned offering for this use case by the end of 2022.
I would be happy to meet and get more details on the use-case and the needs to make sure we are aligned.
Thanks,
Idan Tsarfati
R&D Group manager of IPsec VPN & HTTTPs inspection
Hi idants,
Great!! I'll be ready for any updates and more about Link Selection into a VPN Community for 3rd Party GW VPN.
Best regards,
Hello idants
Any news about this?
Well - we have so many customers are waiting for this feature and big adoption of cloud has really made this impossible to stay with one IP hence I managed to move tunnels on other devices which offers much more flexibility in configuring the tunnels.
I believe this feature is planned for R82.
This new feature is planned to be released as part of R82.
Some of the VPN capabilities are already available as part of SDWAN (R81.20).
You are welcome to share the exact use-case offline to understand if it might work.
Does this include VPN backup so that if the primary remote unit is down it will attempt to use the backup VPN device?
Hello @idants,
Use case: CheckPoint gateway "FW01" working as Internet Perimter fw, has two or more external interfaces. This gateway has s2s vpn's with many different third party gateways through all its ISP connections. FW01 can send only one IP address as its IKE Main Mode ID. Let's say we use external IP of ISP1 as our IKE Main Mode ID, all the remote peers that connect to ISP2 or ISP3 will receive a "wrong" IP address as IKE Main Mode ID. In these cases it brings additional complexity to the vpn, because in my experience this parameter is almost never configured manully, it is left as default, so we have to explain to third party admins what this parameter is, why we send a different IP address and ask to fix this on their end, because we can not do it on our side. In case this gateway has a WAN (different interface/IP) connection which also builds s2s vpn's with third parties it becomes more complex even.
It becomes more restrictive in case the same FW01 builds vpn's with other centrally managed gateways, where we normally would use Link Selection to have redundancy, but if we use HA or LS, it makes FW01 send the main ip adress as Main Mode ID mandatory.
Regards
i've found a working solution in my lab; bring up 2 tunnels with two IPs (two ISP in real word), settings here:
of course you need to drive the tunnel to the second link by adding a static route to /32 ip remote peer adddress
Really - Did that work?
Hmmm - Let me try that out and see.
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
User | Count |
---|---|
9 | |
5 | |
4 | |
4 | |
4 | |
4 | |
3 | |
3 | |
2 | |
2 |
Thu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEAThu 18 Sep 2025 @ 02:00 PM (EDT)
Bridge the Unmanaged Device Gap with Enterprise Browser - AmericasMon 22 Sep 2025 @ 03:00 PM (CEST)
Defending Hyperconnected AI-Driven Networks with Hybrid Mesh Security EMEAMon 22 Sep 2025 @ 02:00 PM (EDT)
Defending Hyperconnected AI-Driven Networks with Hybrid Mesh Security AMERThu 18 Sep 2025 @ 03:00 PM (CEST)
Bridge the Unmanaged Device Gap with Enterprise Browser - EMEAThu 18 Sep 2025 @ 02:00 PM (EDT)
Bridge the Unmanaged Device Gap with Enterprise Browser - AmericasMon 22 Sep 2025 @ 03:00 PM (CEST)
Defending Hyperconnected AI-Driven Networks with Hybrid Mesh Security EMEAAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY