ISP Redundancy and VPN

Note - ISP Redundancy settings override the VPN Link Selection settings.

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link.

The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page.

Step

Instructions

1

Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management ServerClosed Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security Group.

2

From the left navigation panel, click Gateways & Servers.

3

Open the Security Gateway / Security Group object.

4

In the left navigation tree, go to Other > ISP Redundancy.

5

Select Apply settings to VPN traffic.

6

In the left navigation tree, go to IPsec VPN > Link Selection.

7

Make sure that Use ongoing probing. Link redundancy mode shows the mode of the ISP Redundancy:

High Availability (for Primary/Backup) or Load Sharing.

The VPN Link Selection now only probes the ISP configured in ISP Redundancy.

If the VPN peer is not a Check Point Security Gateway, the VPN may fail, or the third-party device may continue to encrypt traffic to a failed ISP link.

  • Make sure the third-party VPN peer recognizes encrypted traffic from the secondary ISP link as coming from the Check Point clusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing..

  • Change the configuration of ISP Redundancy to not use these Check Point technologies:

    • Use Probing - Makes sure that Link Selection uses another option.

    • The options Load Sharing, Service Based Link Selection, and Route based probing work only on Check Point Security Gateways/ Clusters / Security Groups.

      If used, the Security Gateway / Cluster Members / Security Group uses one link to connect to the third-party VPN peer.

      The link with the highest prefix length and lowest metric is used.