Two ISP Links, different speeds?

[brianclark44]

Hello,

I have searched through this forum trying to find out how Check Point R65 (on SPLAT) supports two ISP links (via the ISP Redundancy load sharing feature) which operate at different speeds. However, I have not found anything in this forum, or in CP's documentation, that tells me how to do this.

For example, I have one link that is 100 Mbps and one that is 45 Mbps. I want Check Point to proportionately load share the outgoing connections. The bandwidth ratio between the two circuits is 2.2 to 1. So I would want CP to send 2.2 outbound TCP connections to the faster link for every 1 connection sent to the slower link.

Is this possible? If so, where do I configure this?

Thanks much for your assistance.

Brian Clark

[hotice_]

This is not possible as the ISP redundancy feature that is built into Check Point is a lightweight tool to provide to simple basic installations

You'll want to look at 3rd party dedicated tools (such as the BigIPs) to do this kind of thing

[brianclark44]

Quote:

Originally Posted by hotice_

This is not possible as the ISP redundancy feature that is built into Check Point is a lightweight tool to provide to simple basic installations

You'll want to look at 3rd party dedicated tools (such as the BigIPs) to do this kind of thing

I really hope you are wrong hotice, as a pair of BigIP link controllers cost about USD 35,000.

Someone else pointed me to a setting in the Check Point database. You can edit the gateway_cluster object in the database. There is a “weight” field for each ISP. The default weight value for each of my defined ISPs was 65,534, not sure why. I knocked this down to 100 and 45 for my links, respectively. Unfortunately, this didn't seem to make any difference.

Anyone have any idea how to make this work? Anyone know anything about these "hidden" settings in the CP database?

Thanks,
Brian

[Thorpuse]

You are better off using an upstream dedicated device to do this - what a Firewall will offer in the way of this will be limited at best, as the feature was designed for simple redudancy not load sharing. Not to mention that you'll need to consider some sort of dynamic routing protocol, and it's a *much* better idea to get an upstream device to manage that sort of advertisement.

If your organisation can afford 145Mb of connections to the WAN/Internet, I'm sure they find the appropriate funds for managing that WAN link. Use the right tool for the job.

[brianclark44]

Quote:

Originally Posted by Thorpuse

If your organisation can afford 145Mb of connections to the WAN/Internet, I'm sure they find the appropriate funds for managing that WAN link. Use the right tool for the job.

It's a tough economy. Anywhere we can save money we have to save money. The CP functionality, while basic, is all I need--outbound load sharing based on some sort of ratio or proportion. CP seems to support that, I just need to get it to work. My dynamic routing is handled by my routers, with no CP configuration necessary to support that.

Also, this feature is one of CP's competitive advantages. It is one of the reasons we chose CP over Cisco and Juniper.

I am still trying to get this to work. Any troubleshooting suggestions are welcome.

Thanks,
Brian

[fwwidgit]

One question about this - how would you handle the return IP traffic ?

Without something sitting in front of the firewalls, I would have thought you could end up with circular routing issues which would be problematic than the original bandwidth issue.

[brianclark44]

Quote:

Originally Posted by fwwidgit

One question about this - how would you handle the return IP traffic ?

We have several networks and bring them in to the different circuits via BGP, which runs on our routers. It works fine.

[brianclark44]

I found another "hidden" setting in the ISP Redundancy configuration. This one is documented in the CP Knowledgebase Solution ID: sk32225. It doesn't help me out much, but it does show some of the flexibility of the ISP Load Balancing features.

Configuring ISP Redundancy so that certain traffic uses specific ISP

Solution
When using ISP Redundancy in Load Sharing mode, (in the example discussed here, the Load Sharing involves two ISPs), one can specify that certain outgoing connections be routed through the first ISP link, while other outgoing connections are routed through the second ISP link. (If a link fails, all new outgoing connections are directed to the active link.)

This is achieved by manually editing an INSPECT table defined in $FWDIR/lib/table.def on the SmartCenter server.

The table is called no_misp_services_ports, and consists of a list of services. If an outgoing connection is using a service in that list, the connection will be routed through the first link.

For example:

By default, the table is defined as follows: no_misp_services_ports = { <500, 17>, <259, 17>};

By changing it to: no_misp_services_ports = { <500, 17>, <259, 17>, <80,6>};, (where <80,6> stands for HTTP (port 80), TCP (IP protocol 6)), all outgoing HTTP traffic would go through the first ISP link.

Note the following limitations:
1. The table must be edited on the SmartCenter server, and policy must be reinstalled. Changes made to this table will affect all Security Gateways running ISP Redundancy.

2. Outgoing connections on services not specified in this table, would be distributed evenly among the two ISP links.

3. One cannot use this to route specific services through the 2nd link, only through the 1st link.