ISP Redundancy failover, impact to outbound non FW hosts

[Ted Odom]

Is it possible for sessions initiated outbound to use the NAT associated with the remaining ISP interface that is not assigned to the firewall object?

I have SPLAT NGX 61 running with 2 ISP connections. Currently it is defined in Primary/Backup. The Email server has an IP address associated with each interface. I use manual address translation for incoming packets for each interface, 2 statement. Outgoing I also have manual address translation for each interface, 2 statements. I have defined a host route from each routable address to this host and have manually added an ARP entry for each external host address.

When both links are up every this works fine. I can shift to load sharing and both interfaces are used properly.

When I take the primary down the packets are still being translated using the primary static NAT so the packets are not routable through that interface.

If I use the “hid behind the gateway”, this is a different IP address than the host uses so conversations are not being handled over the same IP address.

[Ted Odom]

It now works!!!!
Look at Checkpoint sk25152. It explains how to make the static nats for the primary interface not be used when it is down. It involves the use of dynamic objects in the NAT rules, dynamic commands as well a script updates to $FWDIR/bin/cpisp_update.

I following the instructions on our FW. I then pulled the primary interface. The outgoing Email now used the static NAT to the 2nd interface. I confirmed I was able to send and receive Email.

I tested this under both options, Load Balancing and Primary/Backup.

[eigrich]

Quote:

Originally Posted by Ted Odom

It now works!!!!
Look at Checkpoint sk25152. It explains how to make the static nats for the primary interface not be used when it is down. It involves the use of dynamic objects in the NAT rules, dynamic commands as well a script updates to $FWDIR/bin/cpisp_update.

I following the instructions on our FW. I then pulled the primary interface. The outgoing Email now used the static NAT to the 2nd interface. I confirmed I was able to send and receive Email.

I tested this under both options, Load Balancing and Primary/Backup.

Can you please send me the detail knowledge base? I cannot find sk25152 in checkpoint website. Maybe I don't have access to it??

Thanks

[chillyjim]

Quote:

Originally Posted by eigrich

Can you please send me the detail knowledge base? I cannot find sk25152 in checkpoint website. Maybe I don't have access to it??

You need advanced access (re a support contract or your CCSE) to see this one.