VPN / ISP redundancy architecture

[underattack]

Hello,

I am working on a solution with high-availibility and I would like to be sure about VPN and ISP redundancy.

If I have a firewall A with 2 ISP (primary link with ISP1/backup with IPS2), and a VPN with a firewall B, do firewalls A and B have to be managed by the same SmartCenter for the VPN/ISP redundancy to work ?

If a link fails on firewall A, how firewall B will know that it will have to go through the ISP2 link on the Firewall instead of ISP1 ?

As the Firewall A will have 2 public addresses, how will Firewall B learn the second IP address as the object is defined with 1 IP address ?

Can this work if the 2 Firewalls are not managed by the same smartCenter ?


If both Firewall A and B use ISP redundancy, will the VPN redundancy still work ?

Do I have to use interface VPN with dynamic routing for the redundancy ?

I realize this is a lot of question but I would a have a best understanding on how this works exactly to implement it.

Cheers,

Fabien

[mcnallym]

ISP Redundancy is seperate to VPN and VPN link selection is only tied to the ISP Redundancy Settings if the Enable for VPN is ticked in the ISP Redundancy page.

If you don't tick then which IP address is used is dependant upon how you configure the VPN Link selection.

However the remote VPN gateways do not have to be managed by the same SMARTCenter, you merely have to tell them about the extra interface, if Check Point can use MEP on the other SMARTCenter to tell about both IP addresses, or if non-Check Point just define as a backup gateway to the secondary link.