problem with isp redundancy in load sharing mode pls help

[sebastan_bach]

hi all i have setup my firewall with 2 external interface. i tried using isp redundancy in primary/backup mode and it worked perfectly fine. for this i had a single default route on the firewall without specifying the metric as mentioned in the documentation.

now i am trying to do in load sharing mode i select load sharing mode in the isp redundancy configuration and also check it in the smart monitor and it shows the both the links are in load sharing mode. but i am reach the internet only by a single isp . i have run debug on both the isp routers and i can see the icmp probe packets from the hub on both the them so connectivity is fine.

i even tried adding one more default gateway on the firewall for isp2 without the metric but still no good.

can someone pls tell me where i am going wrong.

is anyone having a current setup like this pls help me out.

regards

sebastan

[mcnallym]

What platform is this on

To allow statically translated hosts in an ISP redundancy configuration for open outgoing connections, use the following procedure.

Notes:

Assume that an internal host has an internal IP address, as well as one valid IP address from the address space of each Internet Service Provider (ISP).

Use the following notation:

HOST_INTERNAL = internal IP address of the host
HOST_VALID_A = valid address of the host from ISP_A (the first ISP)
HOST_VALID_B = valid address of the host from ISP_B (the second ISP)

On the SmartCenter server:

Define two dynamic objects: "DYN_ISP_A" and "DYN_ISP_B"

Define an object with the IP address of HOST_INTERNAL.

Define an object with the IP address of HOST_VALID_A.

Define an object with the IP address of HOST_VALID_B.

Define two Manual NAT rules, as follows:

Rule 1

Source = HOST_INTERNAL
Destination = DYN_ISP_A
XlateSRC = HOST_VALID_A
XlateDST = Orig

Rule 2

Source = HOST_INTERNAL
Destination = DYN_ISP_B
XlateSRC = HOST_VALID_B
XlateDST = Orig


Run cpstop on the security gateway or cluster (on each cluster member).

Run the following commands on the security gateway or cluster (on each cluster member):

dynamic_objects -n DYN_ISP_A
dynamic_objects -n DYN_ISP_B
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a


On the security gateway or cluster (on each cluster member), edit $FWDIR/bin/cpisp_update, and add the following lines before the "exit" line:


if ($USE_LINK1 == "1") then
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a
else
dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
endif


Run cpstart on the security gateway or cluster (on each cluster member).

Install the Security Policy on the security gateway/cluster.


Is what needs to be done on the gateways to get this to work.

Note that all STATIC Nat outbound will be via ISP-1.


For HIDE NAT then ensure that the NAT is Automatic and set to Hide Behind Gateway. Hide NAT should be Load Balanced across both lines.

Configure 1 DG on the OS and then configure the Next Hop in the Dashboard.

[sebastan_bach]

hi mate i have configured hide nat behind gateway for the internal host. so in this case it should work automatically right. i do not need to configure dynamic-objects in this case i guess.

but still i am facing the same problem. i am running this on a splat NGX R65.

HELP ME OUT IF POSSIBLE.

regards

sebastan

[mcnallym]

I don't think you actually have a problem, more that you don't have enough behind the box to generate enough traffic for the Load Balancing to take effect.

You will need to generate a fair bit of traffic through a box to see the load balancing take place. If just one person going through the box then you aren't going to see both lines being used.

All traffic from a single host will go down a single line still. Get multiple boxes behind the box and you should see traffic going down both lines. Preferably different subnets.

I have always coded the Dynamic Objects when using ISP Redundancy as never had purely Hide NAT, always had some Static NAT as well.

ISP Redundancy from Check Point is still pretty basic and I believe that other vendors do this much better. Certainly Stonesoft is a much better ISP Redundancy then Check Points.

[sebastan_bach]

hi mate thanks for ur reply. the way i am testing this is that i have a single host on the inside but i am telnetting to different loopbacks connected to different isp routers.

does checkpoint only use differentiation in traffic looking at the source address i thought like other vendors it looks at both the source and destination. if checkpoint looks at the source address then i will surely try adding another host to the internal network and try out the scenario.

so when i am using static nat do i still need to use dynamic objects.

yeah i know checkpoint isp redundancy is just basic and doesn;t provide much granularity like netscreen and other vendors.

regards

sebastan

[mcnallym]

Yes you definitely will still need the dynamic objects when doing Static NAT as the NAT rules use them.

[sebastan_bach]

hi mate thanks for ur reply. u mean if i only want outbound redundancy for static connections i would be needing those dynamic objects.

basically i would be doing static nat for inbound redundancy .

if i am using pure manual static nat rules by natting the same internal object to different valid ip address from different isp then will it work i mean then do i need those dynamic objects.

ur advise would be of great help.

waiting for ur reply mate.

regards

sebastan

[mcnallym]

I do not believe that you should need the dynamic objects if all of your outbound NAT is Hide Mode and just the inbound is static.

The dynamic objects are used to say which ISP link is being used by Check Point and so which outbound Static NAT Rule to use for the Server.

ie

Src Server-1
Dst DynISP-A

xlate src = Server-1-ISPA
xlate dst = Original

or

Src Server-1
Dst DynISP-B

xlate src = Server-1-ISPB
xlate dst = Original

Your Inbound NAT would be

Src = Any
Dst = Server1-ISPA

xlate src = Original
xlate dst = Server1

or

Src = Any
Dst = Server1-ISPB

xlate src = Original
Dst = Server1

From these you can see do not need the dynamic objects for inbound NAT, obviously though this will require that you do Hide NAT or the Server cannot access the Internet if you do not have the outbound Static NAT.

[sebastan_bach]

hi mate don;t u think the isp redundancy is a real pain in checkpoint. in other vendors like cisco we genrally nat the same internal object to different isp address and then rely on routing. if firewall is forwarding packet out of isp1 link it will nat it on that isp space and similary with the other isp .

so if i do manual nat for the internal host to both the isp addres space it will not work right .

i think i will probably not use this feature or just use active/standy isp redundancy this load sharing is a pain .

thanks a lot mate.

regards

sebastan

[mcnallym]

You are correct if you just do manual static nat for both lines then it fails.

The dynamic objects are still needed if you use ISP Redundancy Static NAT outbound whether is Load Sharing or Active/Standby.

If you just have a manual static nat and don't use the dynamic objects then will always apply the first manual static nat for the object. You would have to manually disable the first NAT rule upon line failover.

I personally am not impressed, I have merely used it when migrating ISP's. In no way does it compare with other vendors ISP Redundancy or an external load balancer.

I believe that the problem is that all the guys that they had developing ISP Redundancy upped and left to go to Stonesoft (very check point like interface and much superior ISP redunancy that isn't limited to just 2 lines)

It shows promise but needs developing further, (much much further) or will end up like Connect Control in that it is there but noone uses it in the real world.

[nazaraf]

I agree that Stonesoft has a better solution for ISP redundancy, both for inbound and OUTBOUND. We are using it for 4 ISPs and we are adding one more.

On Checkpoint side... We are using it for our VPN Remote Access (secure remote/client ) and Site to Site with 2 ISPs but not load sharing yet. Is it possible for our clients to have seamless connection (s2s and remote access) if one ISP goes down? I mean they wont know that 1 of our ISPs fail.

[ankda14]

Hi All,

I configured same scenario but Traffic is not going through backup path when primary ISP is down. I configured same as given in sk25152. Please find below configuration:

Rule:

SRC: 192.168.215.128 DST: 3.3.3.3 SERVICES: ANY ACTION: PERMIT

NAT RULE:
1.
Original Source: 192.168.215.128
Original Dstn: DYN_ISP_A
Original Service: Any
Translated source: 192.168.254.191(ISP_A public IP) - Static NAT
Translated Dstn: Original
Translated service: Original

2.
Original Source: 192.168.215.128
Original Dstn: DYN_ISP_B
Original Service: Any
Translated source: 192.168.229.191(ISP_B public IP) - Static NAT
Translated Dstn: Original
Translated service: Original

Configured dynamic Objects and script as given in sk25152.

Now to test the ISP redundancy feature:

In ping from windows machine(192.168.215.128) to 3.3.3.3

Source packet is translated to 192.168.254.191

now i remove cable from firewall ISP-1 interface and default route points to backup ISP but when i do TCP dump on ISP-2 int and debug packets on router, source packet is still translated to 192.168.254.191. The packet drops on windows machine as return traffic from router points to primary ISP path.

Kindly also let us know what range 0.0.0.0 0.0.0.0 in dynamic object means.

I understand 0.0.0.0 255.255.255.255 means whole network(any).

Kindly advise.

Thanks