CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 8 of 8

Thread: R77.20 Gaia ISP Redundancy Few Questions

  1. #1
    Join Date
    2012-08-30
    Posts
    12
    Rep Power
    0

    Default R77.20 Gaia ISP Redundancy Few Questions

    Hello everyone,

    I'm actually dealing with the possibility of ISP redundancy and got a few question. We've got 2 ISP ISP A and ISP B. We've got several servers statically natted behind ISP A' addresses. I'm trying to use ISP B for outgoing web traffic and if ISP B fails, I'd like to use ISP A.

    I read the documentation and got a few questions:

    1. When ISP A fails all of my statically natted servers are offline except i configure according to sk25152, correct ?

    2. If i configure a http forward proxy according to sk25152 (using IP of ISP A and ISP B) is it still possible to prefer the way over ISP B ?

    3. Is it possible that my forward proxy automatically switches to ISP A, if ISP B fails ?

    Thanks for your help!

    Regards
    Alex

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    1.) That is correct as would need use the ISP IP Range to get inbound traffic to the Firewall

    2.) No https://supportcenter.checkpoint.com...duct=ClusterXL, shows how can force a service over Link 1 but you cannot force over Link 2

    3.) Not relevant as couldn't be done. Can only force traffic on Link A

    In my opinion the ISP Redundancy is something that got started, but never finished. I did hear a rumour once that the Developers working on the feature upped sticks and went to StoneSoft which is now part of McAfee.
    Is quite telling that the configuration for ISP Redundancy moved from Topology to Other, almost as if trying to quietly lose it.

    If you really need ISP Redundancy with Check Point then would suggest that better off looking for an external solution unless all that looking to do is Hide NAT outbound Traffic over multiple lines for redundancy, say at a Branch Office where can Hide NAT Traffic to the Internet and provide resilience for VPN Connectivity to the other Branch/Central Office Check Point Gateways.
    Last edited by mcnallym; 2014-10-31 at 14:22.

  3. #3
    Join Date
    2012-08-30
    Posts
    12
    Rep Power
    0

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    Hi mcnallym,

    thanks for all your answers! You helped me alot.

    Regards
    Alex

  4. #4
    Join Date
    2008-08-27
    Posts
    2
    Rep Power
    0

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    I have a bit different situation.
    I have 2 clusters in 2 different data centers connected to 2 different ISPs.

    Our main internal segment (10.0.0.0/8) NAT outgoing to the internet via only one ISP at the moment. Traffic originating in SECOND data center going to the internet goes to our MAIN data center and out to the internet. I want to fail over to the secondary ISP link via our second data center in case our MAIN datacenter ISP fails. The following picture explains:


    (10.0.0.0/8) -----CP-cluster-MAIN ---- NAT-ISP-IP(1.1.1.1) ------Internet

    (10.0.0.0/8) -----CP-cluster-SECOND --NAT-ISP-IP(2.2.2.2) -----Internet

    We have some NAT servers going out using 1.1.1.0/24 ip addresses, but it is not a concern at moment. We want to fail over the internet connection for our 10.0.0.0/8 user's segment.

    Setting up the nat for the 10.0.0.0/8 as hide behind Gateway, is one step, is there a document from Checkpoint that covers all possible pitfalls when trying to connect to multiple ISPs.?

  5. #5
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    20

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    The Security Gateway Tech Admin Guide is a good place to start.

    ISP Redundancy is about configuring 2 ISP into 1 Cluster/Gateway. Your Diagram shows 2 Clusters each with 1 ISP Redundancy

    From your diagram then you need to failover from Cluster A to Cluster B which isn't what ISP Redundancy will do for you.

    You would need to span the External Networks between the two DataCenters and then connect each Cluster to Each ISP Link.

    Or would need to find a way to reroute Internet Traffic to the Cluster B.

  6. #6
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    10

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    Quote Originally Posted by linux.guru View Post
    I have a bit different situation.
    I have 2 clusters in 2 different data centers connected to 2 different ISPs.

    Our main internal segment (10.0.0.0/8) NAT outgoing to the internet via only one ISP at the moment. Traffic originating in SECOND data center going to the internet goes to our MAIN data center and out to the internet. I want to fail over to the secondary ISP link via our second data center in case our MAIN datacenter ISP fails. The following picture explains:


    (10.0.0.0/8) -----CP-cluster-MAIN ---- NAT-ISP-IP(1.1.1.1) ------Internet

    (10.0.0.0/8) -----CP-cluster-SECOND --NAT-ISP-IP(2.2.2.2) -----Internet

    We have some NAT servers going out using 1.1.1.0/24 ip addresses, but it is not a concern at moment. We want to fail over the internet connection for our 10.0.0.0/8 user's segment.

    Setting up the nat for the 10.0.0.0/8 as hide behind Gateway, is one step, is there a document from Checkpoint that covers all possible pitfalls when trying to connect to multiple ISPs.?
    First of all you are concerned to provide redundancy only to MAIN internal segment?
    Next, how do you reach main DC from 2nd location? A Darkfiber/L2 service?
    Third you talked about outgoing NAT, what about inbound NAT is this also required? Basically you host services on your main segment that are accessed from outside/Internet?

  7. #7
    Join Date
    2008-08-27
    Posts
    2
    Rep Power
    0

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    Quote Originally Posted by laf_c View Post
    First of all you are concerned to provide redundancy only to MAIN internal segment?
    Next, how do you reach main DC from 2nd location? A Darkfiber/L2 service?
    Third you talked about outgoing NAT, what about inbound NAT is this also required? Basically you host services on your main segment that are accessed from outside/Internet?
    1- Yes, the main segment going to the internet.
    2- main DC connects to second DC via fiber ring. We maintain connection to lan-second-DC via Layer 3. So we want to recover from failure at the main DC for our internal MAIN internal segment.
    We have one Main-DC Checkpoint cluster Nat Main internal segment --- Internet with 1.1.1.1 (ISP #1)
    We have second-DC Checkpoint cluster ---- Internet ( ISP #2)
    3- The inbound NAT is in the future when we build the redundancy for servers in the second-DC

    My question is, since we have 2 Checkpoint clusters and using the same object that defines our internal segment (10.0.0.0/8), if we nat this segment with a hide nat behind the gateway, will this be enough to actually nat the segment via second-DC checkpoint cluster ---- INternet 2.2.2.2 (ISP #2)

    We will have the route priority in our internal switches sending the traffic with different priorities to MAin-Dc or Second-DC.

    ..............I guess I could build this in the lab and check the NAT behavior.......
    Any experience that someone wants to share is really appreciated.


    thanks

  8. #8
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    10

    Default Re: R77.20 Gaia ISP Redundancy Few Questions

    At this point I see no issue using same object as source for a manual NAT policy. Still this has nothing to do with the ISP redundancy feature.

    Also for inbound redundancy you should employ BGP with a network prefix advertised by each ISP on each DC.

Similar Threads

  1. How to export all the Objects in 75.40(GAIA) to R77.20(GAIA)??.
    By muralidkosaraju in forum R75.40 (GAiA)
    Replies: 3
    Last Post: 2014-10-10, 14:55
  2. Replies: 2
    Last Post: 2014-05-27, 13:30
  3. Latest Questions for CCSE NGX -(101 questions)
    By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 34
    Last Post: 2010-09-16, 11:11
  4. ISP redundancy with VTI
    By TommyBoay in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2009-12-17, 11:59
  5. Latest Questions -CCSE-NGX (101-questions for free)
    By Amit_U in forum CCSE NGX Exam 156-315.1 (No Longer Offered)
    Replies: 5
    Last Post: 2006-12-18, 23:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •