Checkpoint UTM Firewall Clusters Part 1

    I recently spent some time setting up a Checkpoint Firewall cluster using UTM firewall appliances. I'm going to post several configuration tips I learned the hard way. I did not find the documentation to be all that useful, though I was in a bit of a rush, so I might have missed something.
   Anyway, I'm laying out the topology in this post. Here are our nets:


                                                                                                                                                                                                                                                                                                               

Interface Name	Subnet	Comments
ext	10.10.10.0/24	external network
int	192.168.5.0/24	router net
LAN1	172.31.24.0/28	sync network
LAN2	172.31.23.0/24	network management subnet
LAN3	172.31.22.0/24	DMZ1
N/A	192.168.6.0/23	Corporate LAN (behind L3 switch)
N/A	192.168.8.0/23	Engineering LAN (behind L3 switch)
N/A	192.168.10.0/23	QA LAN (behind L3 switch)
N/A	172.17.16.0/22	subnet from CO-LO - from VPN tunnel

Note that there is a layer 3 switch behind the inside interface on the Checkpoint cluster, and that at least three VLAN/subnets are behind that switch. Note that there is an IPSec tunnel to the co-lo facility, and that tunnel terminates on the L3 switch in the router network (the endpoint is 192.168.5.200.)
Here is a simple diagram of the configuration: