tunnels do not fail over correctly. If the encryption/authentication algorithm is supported in the master and not supported by the backup and you do not use NAT, tunnels fail over correctly, but they are not accelerated after failover.
If you use sequence validation in
You might want to enable sequence validation in the Check Point management application and IPSO, as described in the following procedure.
To enable sequence validation in the Check Point management application and
IPSO
1.Click Advanced System Tuning under Configuration > System Configuration in the tree view.
Note
This option is available only when SecureXL is enabled.
2.On the Advanced System Tuning page, click the button to enable sequence validation.
3.Enable sequence validation in the Check Point management application.
4.Push the new policy to the IPSO appliance.
Configuring VRRP Rules for Check Point NGX
When you are using Check Point NGX FP1 and FP2 or later, you must define an explicit VRRP rule in the rulebase to allow VRRP Multicast packets to be accepted by the gateway. You can also block the VRRP traffic with an explicitly defined rule.
Caution
VRRP rule constructions used in Check Point
For information about how to configure VRRP rules for Check Point
Configuration Rule for Check Point NGX FP1
Locate the following rule above the Stealth Rule:
Nokia Network Voyager for IPSO 4.0 Reference Guide | 199 |