Business asked me to implement a single virtual firewall on Checkpoint 15400 appliance as per the attached network topology. The idea is to achieve end-to-end secure connectivity for O365 applications. In future, there will be additional virtual firewalls on the existing VSX and another VSX gateway for achieving HA. But as of now, only one virtual firewall.
I have the following concerns and do not have clarity whether it can be done or not. Appreciate if someone can throw some light.
1> Can I connect two physical ports from the Nexus 9000 switch (ACI switch) to the VSX gateway in bond?
2> Can I configure virtual firewall’s external segment in layer 3 and the internal segment as layer-2? As per the network topology, the virtual firewall running at DC will be connected to HQ over the point-to-point layer-2 link.
3> Does virtual firewall support IP sec VPN over Layer 2 point-to-point link (DC to HQ)?
4> Does virtual FW support dynamic routing if IP Sec VPN configured? What are the pros and cons?
5> your views and best practice around FW participating in the end-to-end BGP routing? Is any performance impact if BGP runs on Virtual FW?
6> While creating a virtual system on single VSX member, should I create virtual switch or router because the virtual firewall will be using a BGP routing protocol
7> Does Checkpoint FW support VPC between Nexus 9k switches and virtual FW to form Link Aggregation?
8> Do FW shape the traffic when it passes the traffic from its 10 Gbps interface to 1 Gbps layer 2 links?