Can I use ISP redundancy internally to load balance between two internal links?

[blason]

Hey Guys,

I have two checkpoint boxes at two locations which are connected through point-to-point link using two links. Wondering if I can use ISP Redundancy to configure failover or loadbalance between two sites? In that I do not want to use Hide Nat and I believe for ISP Redundancy to route the traffic on other link if primary fails I need to have Hide nat configured?

Please suggest.

Link 1
[ SITE A ] ================ [ SITE B ]
[ ] Link 2 [ ]
[ ] ================ [ ]

[slowfood27]

Attaching 2 links to the same Check Point box adds no resilience to your infrastructure. If you really consider the reliabilty of your links to be a potential problem, then you would better add your own router (and yet another SPOF) in front the of the firewall and let him do the balancing job over the 2 links.

The correct solution would be:

A firewall cluster at each side
A HSRP router pair at each side
parallel links between the router pairs

[blason]

Of course adding up HA would give me resiliency but my question was; can I achieve link redundancy internally and not at ISP level. I believe there should not be any issue since checkpoint does not recognize if this is an public IPs or private IPs.

[Somers]

You can setup an Etherchannel, this will provide loadsharing and redundancy.
If your Checkpoint OS supports it, recent versions of IPSO, SPLAT and Gaia do, then you can set it up directly. If you're using an old Checkpoint version then you could use switches in the way, setup the Etherchannel on the switches and then uplink them to your checkpoints.
Checkpoint cover the setup in one of the administration guides, search for link aggregation on the support site and you'll find it.

[mcnallym]

You WON'T be able to use the Check Point ISP Redundancy feature to connect two sites in the way that you have suggested looking at doing.

If you use ISP Redundancy Load Sharing then it only actually goes out over the Primary Line, when using Static NAT it doesn't load balance. When you use Hide NAT then the traffic is balanced across the two lines. NAT is thereore important to the use of ISP Redundancy. If you don't want to use NAT then it won't work.

The ISP Redundancy configres two Next Hop addresses, 1 for each link, and if you look through then you will see that one of these is ALWAYS you Default Gateway. Upon detecting a failure then the ISP Redundancy Script will basically swap the Default Gateway of the box to the other Next Hop address that is configured for the remaining line.
In Load Sharing mode then traffic that is Statically NATted will be routed out over the link that is the Default Gateway at the time.

As the only route affected is the Default Gateway then this isn''t suitable as you have two sites that are linked, it isn't your site connecting to the Internet. You need specific routes manipulating, not your Default Gateway.