topic Re: Two ISP's with two appliances 4800 R80.10 in Firewall and Security Management

Two ISP's with two appliances 4800 R80.10

seginf_jfce — Mon, 10 Dec 2018 16:12:33 GMT

Hello guys,

My scenario is as follows: I have two 4800 appliances and now two different ISPs. Each ISP connects to only 1 gateway. Can I work with both in active / standby? Remembering that each ISP connects to 1 gateway and not both. Does ISP redundancy do this? I would like to leave a working ISP and if it goes offline, the backup goes online. My biggest doubt is that if the main ISP that is in the active gateway falls, there will be a connection to the other ISP in the Firewall standby.

My solution:

- 2 Checkpoint 4800 appliance;

- R80.10 version firewall and managment;

Thanks.

Re: Two ISP's with two appliances 4800 R80.10

PhoneBoy — Fri, 21 Jun 2019 09:04:37 GMT

This exact question came up here: https://community.checkpoint.com/thread/10663-checkpoint-cluster-failover-query

TL;DR: It doesn't work that way.

Re: Two ISP's with two appliances 4800 R80.10

G_W_Albrecht — Tue, 11 Dec 2018 09:17:18 GMT

Easy - use HA Cluster and ISP redundancy !

- if the active cluster node fails, standby will take over, keeping the primary ISP

- if primary ISP fails, secondary will take over

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Tue, 11 Dec 2018 17:08:31 GMT

Will the ISP redundancy work with the schema that each ISP is physically connected on only 1 appliance?

The scenario is:

Firewall 1 -> ISP 1

Firewall 2 -> ISP 2

Only 1 port per ISP on 1 firewall and not both ISPs are on both appliances.

If the active firewall 1 fails, which has ISP 1 connected, will traffic be thrown to Firewall 2, which does not have ISP 1 connected?

Re: Two ISP's with two appliances 4800 R80.10

PhoneBoy — Tue, 11 Dec 2018 17:30:00 GMT

No, this is not a supported configuration.

Please refer to the thread I linked previously, which discusses this exact issue.

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Tue, 11 Dec 2018 17:38:50 GMT

That's what I thought. I have to physically connect the two ISPs on both appliances for redundancy.

Thanks everyone.

Re: Two ISP's with two appliances 4800 R80.10

Aidan_Luby — Fri, 14 Dec 2018 13:51:20 GMT

Are the firewalls in the same location? We connect our ISP's to a switch then you can connect those WAN VLAN's to both the firewall appliances. If your ISP's both only give you one IP you can still use those just as the VIP's then use a different addressing scheme for the physical IP's.

So you can have ISP1 > Switch on vlan 1 > both checkpoints on VLAN 1 and setup physical IP's and a VIP for this vlan then do the same with a different VLAN/IP's for the other ISP connection.

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Thu, 10 Jan 2019 12:10:21 GMT

Hello Aidan,

The topology will look like this: ISP 1, located on DC1, connected to a core switch in VLAN X which in turn will connect to port X of FW1. ISP 2, located on DC2, connected to a core switch on the VLAN Y which in turn will connect to the FW2's X port. These switches are stacked, that is, they are part of the same "unit". In this way, what is the best approach for both ISPs to be connected, whether redundant or active?

Firewalls in active/standby mode or active/active ?

And about configuration of rules, NATs, static routes ?

Thanks.

Re: Two ISP's with two appliances 4800 R80.10

G_W_Albrecht — Thu, 10 Jan 2019 12:27:51 GMT

This is an unsupported configuration and ClusterXL will not work. Please explain why you can not use a standard ClusterXL ISP Redundany / LS configuration!

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Thu, 10 Jan 2019 13:24:06 GMT

As I explained above, can I use ISP Redundancy? Isps arrive on each side, connected to VLANs -> FW?

Re: Two ISP's with two appliances 4800 R80.10

PhoneBoy — Thu, 10 Jan 2019 16:08:01 GMT

ISP Redundancy requires both ISPs to be reachable from both gateways.

If that is not the case with your configuration, it will not work.

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Thu, 10 Jan 2019 17:03:44 GMT

Even every ISP having reach to the other side via switch / vlan? The core stack is interconnected between the DCs via fiber channel.

Re: Two ISP's with two appliances 4800 R80.10

PhoneBoy — Thu, 10 Jan 2019 17:20:46 GMT

If the switch/VLAN configuration allow both gateways to reach both ISPs, then yes.

A proposed network diagram would be helpful to confirm.

Re: Two ISP's with two appliances 4800 R80.10

seginf_jfce — Thu, 10 Jan 2019 18:12:08 GMT

Re: Two ISP's with two appliances 4800 R80.10

PhoneBoy — Thu, 10 Jan 2019 20:26:25 GMT

It looks as if that should work.

Re: Two ISP's with two appliances 4800 R80.10

HristoGrigorov — Sun, 13 Jan 2019 13:39:42 GMT

Be careful when you are thinking what you define as ISP being "offline".

It is either problem on physical layer (port goes down for whatever reason) or on protocol layer (default gateway or any other along the path fails). First one it is in fact the best to happen. Second one will require that you monitor certain hosts on the Internet and initiate fail-over should certain criteria is satisfied.