ISP Redundancy and VPN

Note - ISP Redundancy settings override the VPN Link Selection settings.

When ISP Redundancy is enabled, VPN encrypted connections survive a failureClosed A hardware or software problem that causes a Security Gateway to be unable to serve as a Cluster Member (for example, one of cluster interface has failed, or one of the monitored daemon has crashed). Cluster Member that suffered from a failure is declared as failed, and its state is changed to Down (a physical interface is considered Down only if all configured VLANs on that physical interface are Down). of an ISP link.

The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page.

Step

Instructions

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

2

From the left navigation panel, click Gateways & Servers.

3

Open the Cluster object.

4

In the left navigation tree, go to Other > ISP Redundancy.

5

Select Apply settings to VPN traffic.

6

In the left navigation tree, go to IPsec VPN > Link Selection.

7

Make sure that Use ongoing probing. Link redundancy mode shows the mode of the ISP Redundancy:

High Availability (for Primary/BackupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster.) or Load Sharing.

The VPN Link Selection now only probes the ISP configured in ISP Redundancy.

If the VPN peer is not a Check Point Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the VPN may fail, or the third-party device may continue to encrypt traffic to a failed ISP link.

  • Make sure the third-party VPN peer recognizes encrypted traffic from the secondary ISP link as coming from the Check Point cluster.

  • Change the configuration of ISP Redundancy to not use these Check Point technologies:

    • Use Probing - Makes sure that Link Selection uses another option.

    • The options Load Sharing, Service Based Link Selection, and Route based probing work only on Check Point Security Gateways/ Clusters / Security Groups.

      If used, the Security Gateway / Cluster Members / Security Group uses one link to connect to the third-party VPN peer.

      The link with the highest prefix length and lowest metric is used.