On Check Point firewall (R77), in the Topology config. section that is
used for anti-spoofing, is it possible to configure 2 different
External interfaces ?
It is possible - for example, this document on ISP Redundancy in R77 clearly describes that case:
If the Security Gateway has two external interfaces in the Topology
page of the gateway object, you can configure the links automatically.
And this snippet of a CCSA Exam Cram states:
- You can have multiple interfaces defined as external.
...In [this] case, the same behavior of calculating external topology
applies to all externally defined interfaces—that is, any network not
included on any of the internal interfaces is valid on all external
interfaces.
However, there may be complications. For example, there's a specific setting to make it break less stuff: "Support connectivity enhancement for gateways with multiple external addresses". To quote a portion of it:
The problem is that the VPN-1 Gateway needs a routing mechanism that
can route packets, returned to the Office Mode IP addresses, to the
appropriate external router when the VPN-1 Gateway has two external
interfaces, based on from which VPN-1 Gateway external IP address the
SecureClient Office Mode connections came.
The option "Support connectivity enhancement for gateways with
multiple external interfaces" addresses this specific need.
There also used to be an issue where an Unlimited license was required for traffic to route across the two external interfaces. That thread's 10 years old now, though, so take that with a grain of salt.
I haven't had significant CheckPoint console time for 10 years myself, but my recollection is that when I was working with it, I worked a few implementations that had multiple external interfaces, without any particular problems*.
*...due to the multiple interfaces.
