CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: Has ISP redundancy started supporting more than 2 ISP links?

  1. #1
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Has ISP redundancy started supporting more than 2 ISP links?

    Hey guys,

    I just heard that CheckPoint has started supporting more than 2 links is ISP redundancy, is it true? Plus can anyone please confirm if PBR can work along with ISP redundancy?

    AFAIK and mentioned in admin guide PBR wont work if ISP redundancy is enabled and we will have to switch that feature off.

  2. #2
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Has ISP redundancy started supporting more than 2 ISP links?

    Quote Originally Posted by blason View Post
    Hey guys,

    I just heard that CheckPoint has started supporting more than 2 links is ISP redundancy, is it true? Plus can anyone please confirm if PBR can work along with ISP redundancy?

    AFAIK and mentioned in admin guide PBR wont work if ISP redundancy is enabled and we will have to switch that feature off.
    Hmm that is news to me. There is no way to add more than 2 ISPs that I can see, at least through the SmartDashboard.

    ISP Redundancy can make routing changes in the Firewall Path on the outbound side of the kernel (o->O) based on what defined ISPs are up, and that is well after regular destination-based IP routing or PBR has occurred in the IP driver. Unless PBR is somehow integrated into the INSPECT driver as opposed to being handled exclusively in the IP driver I don't see how that could work.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  3. #3
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Has ISP redundancy started supporting more than 2 ISP links?

    Well I came to know from CheckPoint that there is a customer specific Hot fix available by which 10 ISPs can be configured in ISP redundancy. even this is surprising to me.

  4. #4
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Has ISP redundancy started supporting more than 2 ISP links?

    Again pertaining to same question, since now I have VPN tunnel configured between sites and as PBR does not support it. I need to exclude couple of IPs from VPN tunnel can it be possible? Like this


    10.1.1.0/24-----10.1.1.1-20.20.20.1=========30.30.30.1----192.168/16

    10.1.1.0/24 -> Encryption Domain at other site
    192.168./16 is a encryption domain at my end

    and I want 192.168.1.50 to be routed differently and dont want to send through tunnel hence wondering if that can be possible?

  5. #5
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    5

    Default Re: Has ISP redundancy started supporting more than 2 ISP links?

    There is a special macro called NON_VPN_TRAFFIC_RULES that will prevent traffic from being sent through the VPN. You can edit the user.def file or the crypt.def file using Check Point INSPECT language to define this, just search the support center and you'll find a few SKs on it

  6. #6
    Join Date
    2012-06-13
    Posts
    368
    Rep Power
    8

    Default Re: Has ISP redundancy started supporting more than 2 ISP links?

    Yep I found that option and need to implement that. Will keep you guys posted on it.

Similar Threads

  1. Replies: 4
    Last Post: 2013-09-18, 04:11
  2. Licensing And Supporting My Firewall
    By nemo1478 in forum Licensing
    Replies: 49
    Last Post: 2010-03-15, 19:16
  3. ISP's not supporting IPSEC
    By TahoeJoe in forum SecureClient/SecuRemote
    Replies: 2
    Last Post: 2006-10-06, 13:20
  4. Manual Static Nat not supporting FTp, RDP etc.
    By nairsunil7 in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2006-08-16, 11:38
  5. Just Started off guys
    By kvkrishna in forum General Exam Topics
    Replies: 1
    Last Post: 2005-09-20, 23:53

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •