ISP redundancy in checkpoint ISSUE ..???

[amitbhatia20]

We need to configure ISP redundancy in such a way for http/https/ftp servcies one link whould be used and for rest of teh services other Link whould be used.

If first link goes down second link should take care of his services and
vis- versa ... We are using Cross beam Boxes and recenlty installed R65 on both the boxes...

Any suggestions ..??????

[mcnallym]

This isn't how ISP Redundancy is designed.

It is designed so that either use both lines in Load Sharing where you implement your own DNS Server internally for your public and the load sharing is done by the DNS Proxy alternating which ISP address it gives out, or in Active BAckup where sends all traffic down one line until it fails and then swaps over.

If the remote src/dst is known then you can implement static routes to send the traffic down the alternative line however you can't do service based routing, and this is purely normal address based routing.

[chuachongchee]

Yea, this is a very simple link redudancy, a firewall is a firewall, not a load balancer...

Its a very simple active/backup link for your external interfaces to your isp, it cannot do a service based routing.

One way is as mcnallym pointed out, do static routes based on destination. This is manual, only good if your destination is known and doesn't change.

If you are looking at very dynamic incoming/outgoing link load balancing, i would suggest you to go for a dedicated external load balancer, like radware or f5..

[fizzkakz]

Terminating the ISP links on to a router, sitting infront of your firewall and implementing policy based would allow you to implement this solution.

[chuachongchee]

hmmm.... one other way is that run ospf between your 2 routers and firewalls?

but this is highly note recomended... lol

[tdvit]

according to SK sk32225 you can specify certain traffic to go out a certain link.

[mcnallym]

Not strictly true. You can specify that certain traffic when in Load Sharing can go out via the first link. You cannot specify traffic to go the other link. This would still be load shared across both links.

Also all Static NAT goes out only the first ISP link anyway.

Also this affects all gateways not just one so I wouldn't really say it is a good enough solution for what he wants.

ISP redundancy is OK as a starting point for maybe small companies, but still not substitute for a real load balancer.

[tdvit]

ISP redundency is new to me can you recommend any got docs on the checkpoint site or user guides where it gives good detail and recommended practices around this?

thanks

[mcnallym]

I just read the pdf check point doc on Firewall and SMARTdefense along with the knowledgebase where it mentions about static nat.

[tdvit]

OK Cheers.

Mick

[bravo166]

If the reason is that you wish to ensure a specific quality of service for http/https or other service then take a lok at QoS.

You could consider using the ISP providers in load sharing mode and configure QoS.

[styler]

Hi - just thought I'd add this to the pot for everyones information.

We are quite a heavy CP site and have been for quite some years, however we have just done a refresh on one of our sites and have gone for StoneGate firewalls instead.

The feature being asked for here is fully supported by what they call Multi-link in that you can have the following scenarios:

- Fully loadbalanced (based upon RTT, RATIO or protocol)
- Partial loadbalancing (load balance certain types of traffic or by src / dst).
- Active / Standby
- Or you can use any combination of the above in one policy.

Plus, no need for dynamic routing and we can now use as many ISP connections as we want to.

I know this may not help "amitbhatia20" with your initial request however for anyone else looking for this type of functionality it is worth considering.

styler

[sebastan_bach]

hi even netscreen and fortinet support this feature of policy based routing based on source and destination and even services.

i guess CP really lacks these features.

regards

sebastan