This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matthieu_B
Explorer
‎2021-12-17 12:58 AM

Multiple ISP for VPN

Hello everyone,

I would like to ask you a question about the CheckPoint VPN .

I would like to use 2 public IP to set up a VPN.
Indeed, several partners with who I'm work, have two Internet access on their firewall.

it asks me to mount a VPN with 2 public ip for redundancy

On the Fortigate firewall, it seems that they have an option to: if the first ISP falls, it automatically switches to the second.

How can I do this on CheckPoint?
Do I have to put several gateways in the community?

Thank you for your help

PS: I hope it doesn't have too many mistakes, English is not my native language

PS: I have see this post (https://community.checkpoint.com/t5/Remote-Access-VPN/Remote-Access-VPN-with-Two-Public-IP-Address-f...), but it doesn't meet my expectations

0 Kudos
2 Replies
Wolfgang
Authority
Authority
‎2021-12-18 03:34 AM

@Matthieu_B you can do this with several gateways but ther's no need for these.

"VPN Link selection" will be the feature of your need. You can define more then one interface to be used for VPN connections. You can do LoadSharing or HA on the defined links. With Check Point Gateways on both ends of the tunnel you have to enable these, setting the relevant interfaces, defining the source IP addresses and that's it. Via RDP probing on port UDP/259 the availability of the line will be probed. Start with your configuration here:

Link Selection in R81.10 

With third party gateways you have to define the other gateways as "interoperable device" and with these setting DPD (Dead Peer Detection) is used to probe the line. I don't remember from which release the support of DPD started, but from R80.40 you'll be fine.

0 Kudos
the_rock
Legend
Legend
‎2021-12-18 05:48 AM

This is for R77, but its exactly same for R80+

https://sc1.checkpoint.com/documents/R77/CP_R77_SecurityGatewayTech_WebAdmin/89364.htm

What I did for one customer is check option to apply to VPN settings, so then in link selection, make sure under view options that primary link is what you prefer and then it would fail over to other one if any issues. Now, isp redundancy is NOT supported for remote access, so if you need that, it might be a bit trickier to make it work, depending on requirements.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top