R77.20 Gaia ISP Redundancy Few Questions

[ark.heidel]

Hello everyone,

I'm actually dealing with the possibility of ISP redundancy and got a few question. We've got 2 ISP ISP A and ISP B. We've got several servers statically natted behind ISP A' addresses. I'm trying to use ISP B for outgoing web traffic and if ISP B fails, I'd like to use ISP A.

I read the documentation and got a few questions:

1. When ISP A fails all of my statically natted servers are offline except i configure according to sk25152, correct ?

2. If i configure a http forward proxy according to sk25152 (using IP of ISP A and ISP B) is it still possible to prefer the way over ISP B ?

3. Is it possible that my forward proxy automatically switches to ISP A, if ISP B fails ?

Thanks for your help!

Regards
Alex

[mcnallym]

1.) That is correct as would need use the ISP IP Range to get inbound traffic to the Firewall

2.) No https://supportcenter.checkpoint.com...duct=ClusterXL, shows how can force a service over Link 1 but you cannot force over Link 2

3.) Not relevant as couldn't be done. Can only force traffic on Link A

In my opinion the ISP Redundancy is something that got started, but never finished. I did hear a rumour once that the Developers working on the feature upped sticks and went to StoneSoft which is now part of McAfee.
Is quite telling that the configuration for ISP Redundancy moved from Topology to Other, almost as if trying to quietly lose it.

If you really need ISP Redundancy with Check Point then would suggest that better off looking for an external solution unless all that looking to do is Hide NAT outbound Traffic over multiple lines for redundancy, say at a Branch Office where can Hide NAT Traffic to the Internet and provide resilience for VPN Connectivity to the other Branch/Central Office Check Point Gateways.

[ark.heidel]

Hi mcnallym,

thanks for all your answers! You helped me alot.

Regards
Alex

[linux.guru]

I have a bit different situation.
I have 2 clusters in 2 different data centers connected to 2 different ISPs.

Our main internal segment (10.0.0.0/8) NAT outgoing to the internet via only one ISP at the moment. Traffic originating in SECOND data center going to the internet goes to our MAIN data center and out to the internet. I want to fail over to the secondary ISP link via our second data center in case our MAIN datacenter ISP fails. The following picture explains:


(10.0.0.0/8) -----CP-cluster-MAIN ---- NAT-ISP-IP(1.1.1.1) ------Internet

(10.0.0.0/8) -----CP-cluster-SECOND --NAT-ISP-IP(2.2.2.2) -----Internet

We have some NAT servers going out using 1.1.1.0/24 ip addresses, but it is not a concern at moment. We want to fail over the internet connection for our 10.0.0.0/8 user's segment.

Setting up the nat for the 10.0.0.0/8 as hide behind Gateway, is one step, is there a document from Checkpoint that covers all possible pitfalls when trying to connect to multiple ISPs.?

[mcnallym]

The Security Gateway Tech Admin Guide is a good place to start.

ISP Redundancy is about configuring 2 ISP into 1 Cluster/Gateway. Your Diagram shows 2 Clusters each with 1 ISP Redundancy

From your diagram then you need to failover from Cluster A to Cluster B which isn't what ISP Redundancy will do for you.

You would need to span the External Networks between the two DataCenters and then connect each Cluster to Each ISP Link.

Or would need to find a way to reroute Internet Traffic to the Cluster B.

[laf_c]

I have a bit different situation.
I have 2 clusters in 2 different data centers connected to 2 different ISPs.

Our main internal segment (10.0.0.0/8) NAT outgoing to the internet via only one ISP at the moment. Traffic originating in SECOND data center going to the internet goes to our MAIN data center and out to the internet. I want to fail over to the secondary ISP link via our second data center in case our MAIN datacenter ISP fails. The following picture explains:


(10.0.0.0/8) -----CP-cluster-MAIN ---- NAT-ISP-IP(1.1.1.1) ------Internet

(10.0.0.0/8) -----CP-cluster-SECOND --NAT-ISP-IP(2.2.2.2) -----Internet

We have some NAT servers going out using 1.1.1.0/24 ip addresses, but it is not a concern at moment. We want to fail over the internet connection for our 10.0.0.0/8 user's segment.

Setting up the nat for the 10.0.0.0/8 as hide behind Gateway, is one step, is there a document from Checkpoint that covers all possible pitfalls when trying to connect to multiple ISPs.?

First of all you are concerned to provide redundancy only to MAIN internal segment?
Next, how do you reach main DC from 2nd location? A Darkfiber/L2 service?
Third you talked about outgoing NAT, what about inbound NAT is this also required? Basically you host services on your main segment that are accessed from outside/Internet?

[linux.guru]

First of all you are concerned to provide redundancy only to MAIN internal segment?
Next, how do you reach main DC from 2nd location? A Darkfiber/L2 service?
Third you talked about outgoing NAT, what about inbound NAT is this also required? Basically you host services on your main segment that are accessed from outside/Internet?

1- Yes, the main segment going to the internet.
2- main DC connects to second DC via fiber ring. We maintain connection to lan-second-DC via Layer 3. So we want to recover from failure at the main DC for our internal MAIN internal segment.
We have one Main-DC Checkpoint cluster Nat Main internal segment --- Internet with 1.1.1.1 (ISP #1)
We have second-DC Checkpoint cluster ---- Internet ( ISP #2)
3- The inbound NAT is in the future when we build the redundancy for servers in the second-DC

My question is, since we have 2 Checkpoint clusters and using the same object that defines our internal segment (10.0.0.0/8), if we nat this segment with a hide nat behind the gateway, will this be enough to actually nat the segment via second-DC checkpoint cluster ---- INternet 2.2.2.2 (ISP #2)

We will have the route priority in our internal switches sending the traffic with different priorities to MAin-Dc or Second-DC.

..............I guess I could build this in the lab and check the NAT behavior.......
Any experience that someone wants to share is really appreciated.


thanks

[laf_c]

At this point I see no issue using same object as source for a manual NAT policy. Still this has nothing to do with the ISP redundancy feature.

Also for inbound redundancy you should employ BGP with a network prefix advertised by each ISP on each DC.