ISP Redundancy and VPN

Note - The ISP Redundancy settings override the IPsec VPN > VPN Link Selection settings in the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object in SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on..

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link.

Step

Instructions

1

Connect with SmartConsole to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security GroupClosed A logical group of Security Appliances that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. Every Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

2

From the left navigation panel, click Gateways & Servers.

3

Open the applicable Security Gateway object.

4

In the left navigation tree, go to Other > ISP Redundancy.

5

Select Apply settings to VPN traffic.

6

In the left navigation tree, go to IPsec VPN > Link Selection.

7

Make sure that Use ongoing probing. Link redundancy mode shows the mode of the ISP Redundancy:

High Availability (for Primary/Backup) or Load Sharing.

The VPN Link Selection now only probes the ISP configured in ISP Redundancy.

If the VPN peer is not a Check Point Security Gateway, the VPN may fail, or the third-party device may continue to encrypt traffic to a failed ISP link.

  • Make sure the third-party VPN peer recognizes encrypted traffic from the secondary ISP link as coming from the Check Point clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  • Change the configuration of ISP Redundancy to not use these Check Point technologies:

    • Use Probing - Makes sure that Link Selection uses another option.

    • The options Load Sharing, Service Based Link Selection, and Route based probing work only on Check Point Security Gateways and Clusters.

      If used, the Security Group uses one link to connect to the third-party VPN peer.

      The link with the highest prefix length and lowest metric is used.