2 issues in ISP redundancy

[ccnpding]

1. DNS
behind FW we have a DNS sever for external domain name resolution which chats with ISP DNS server.
for servers with incoming access from internet, if the server has 2 internet IP addresses each from one ISP and two NAT rules are added , what else to do to make sure the server is reachable from internet when one ISP link fails? does that mean the server has one name with two IP addresses in DNS server?but how can the DNS server know one Link is down? or ...?

2. VPN
for site-to-site VPN, how to configure the fW's two IPs in remote FWs?
for securemote, establish 2 sites?

pls help.

[mcnallym]

1. Most DNS requests will be answered by the Check Point DNS Proxy, which will take care of what links are down for you. It will answer hostname or A records but other requests will be forwarded to the the DNS Server ie MX.

If the DNS has two MX records then if the first ISP is down then the Email will retransmit to the secondary MX record.

You will also need to follow the information regarding creating the Dynamic Objects in the SMARTDashboard and then on the actual firewalls themselves from the knowledgebase and the NGX documentation.

2. For VPN's then you can enable the VPN as well and for Check Point firewalls that you manage they will know about the ISP Redundancy on the system and will use the other link if the first fails. For non-Check Point Firewalls then need to define secondary gateway, also with Check Point you don't manage.

SecuRemote/SecuClient will pick up both links via Topology download and handle what line to use automatically for you. If line drops you need to disconnect and reconnect which will then goto the other link.

[ccnpding]

thanks Sir.
1.but still not clear about how FW DNS Proxy works.
client DNS request->FW->DNS server? how can client know DNS request should go to FW?

2. more details about FW object config on remote checkpoint fws? where to set the second FW IP?
when we set up Securemote site, we use IP address of FW? you mean use one IP for site setup, and then the client will know the ISP redundancy topology of FWs?

[MarioL]

1. The Check Point DNS proxy is "transparent", that means it grabs the query that was destined for the DNS server and answers it as if it was the said DNS server. So the client will think he always talked with the DNS server.

2. Not sure about site-to-site (guessing you probably need to define interfaces with the public IPs), but SecuRemote/SecureClient only need the IP initially to do the "Get topology". After that the VPN client will have all the information regarding VPN domain, interfaces, etc. As such, it will be aware that the firewall has 2 ISP links and will be able to make use of them.

[ccnpding]

thanks mariol.
1. actually the ISP's DNS server now works as secondary DNS server for me, and the primary DNS server sits behind my FW.
then how can the secondary DNS(ISP's DNS server) know that one of my ISP link is down and replies to client request with the IP reachable instead of the one unreachable?

2. i learn that this can be done with Link Selection which can be done in R60 and later ver.
but how can Link selection be done in R55 secureplatform?

the question is really interesting, and i'm planning to implement ISP redundancy and VPN redundancy here.

[mcnallym]

1. The ISP can't tell which address to give out based on if a link is up or down. This is why Check Point say need to host your own DNS so that the Firewall Gateway can handle that for you.

2. Link selection is an NGX feature, as such need to upgrade to NGX from R55

[MarioL]

To clarify on my previous post.

You should host your own DNS (behind the fw-1), using 1 IP from each ISP for primary and secondary. This means that even if one of the lines is down your DNS is still up and running.

The DNS must be behind the firewall for it to be able to "manipulate" the results. If your ISP hosts your DNS, you won't be able to do anything there.

[ccnpding]

this seems to be a DNS issue. whatever, the internet should know how to send the request of my domain name to my DNS server which will sit behind my fW. but my DNS server which has 1 IP from each ISP might have to register on internet DNS servers(which may hold two records of my DNS server, each for an ISP's IP), then how can the internet servers know which IP to send the request to? ISP1' or ISP2's IP for my DNS server?

sorry that i am a bit new to internet DNS ?

[mcnallym]

You will need to register your DNS Server IP addresses with both ISP. ie each ISP knows about both IP addresses for the DNS Server.

If I remember DNS correctly (probably don't) then the ISP will forward the request to the first IP address, then if it doesn't get a response (as the ISP Link is down) it will request from the secondIP address.

If the DNS makes a request and the DNS on the just can' be resolved then you would get a response back that unable to resolve and it won't attempt to send to the second.

[MarioL]

You need to create 2 records on DNS say:

ns1.domain.com 1.1.1.1 (public IP from ISP1 range)
ns2.domain.com 2.2.2.2 (public IP from ISP2 range)

Then the entity responsible for your domain must set those 2 records as the DNS servers for your domain.

You will also need to NAT on the firewall to the internal DNS server.

I'm sure I'm missing something... haven't played with DNS for a while.