Site to Site VPN Redundancy with Palo Alto


#1

Hi Guys,

Has anyone worked with these two ?

I need to setup 2 different VPNs, different public local and peer addresses, same networks behind the firewalls.

Palo Alto has Tunnel Monitor working and its great.

But Checkpoint ? Whats the best approach here ? Should the secondary interoperable device be added to the same community ? What happens with routes ?


#2

@Brad_Spilde? I’ve never done multi-vendor redundant site-to-site.


#3

I’ve got it working kinda …

On Check Point side, secondary IP added to the same community, added the secondary route for remote network to the routing table.

Palo Alto doing its thing with tunnel monitoring.

On testing (Logically bringing down the tunnel and/or physically disconnecting interface) ping is acting a bit strange giving timeouts, yet others services like https, snmp, etc. are working correctly.


#4

@Rodrigo_Castellanos So the tunnel doesn’t actually go down while you are doing the ping? Any incomplete “end reasons” on the traffic logs?


#5

Checkpoint doesn’t support VPN redundancy with 3rd party gateways.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106585


#6

For Check Point it does work, but you need to use VTP interfaces. Here is an howto from Amazon, on how to connect two VPN tunnels against their two redundant VPN endpoints including failover

https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/check-point-NoBGP.html