topic Re: ISP Redundancy - 2 default route pointing to different ISP in Firewall and Security Management

ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 09:37:23 GMT

Hi,

Can we add 2 default route on checkpoint firewall pointing to two different ISP.

for example:
0.0.0.0/0 ---> ISP A
0.0.0.0/0 ---> ISP B

I am trying to do load balancing between 2 ISP through ISP redundancy ( weight 50% for both ISP)

But due to default route pointing to ISP A. All traffic leaves through ISP A and ISP B is never utilized. As i add another default route on firewall for ISP B with same cost, Traffic start leaving ISP B as well.

But after some time firewall removes ISP B route automatically. I want it to be in routing table always. Is this correct design?

I am doing hide NAT as well with 2 ISP external interface as well.

Thanks

Re: ISP Redundancy - 2 default route pointing to different ISP

AlekseiShelepov — Tue, 14 Aug 2018 10:29:34 GMT

Check these guides:

ISP Redundancy

How To Configure ISP Redundancy

To enable ISP Redundancy:
Open the network object properties of the Security Gateway or cluster.
Click Other > ISP Redundancy.
Select Support ISP Redundancy.
Select Load Sharing or Primary/Backup.
Configure the links.
Configure the Security Gateway to be the DNS server.
Configure the policy for ISP Redundancy.

Re: ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 10:45:32 GMT

Hi Aleksei,

Thanks for your reply. I already configured ISP redundancy on firewall with option checked as load sharing. but in routing table i can only see 1 default route pointing to ISP A as configured through gaia web-portal. I added another default route through CLI:

set static-route default nexthop gateway address ISP-B on

now routing table shows 2 default route pointing to ISP - A and ISP - B

S 0.0.0.0/0 via ISP - B, eth2, cost 0, age 5786
via ISP - A, eth1

i save the config.

traffic is traversing through both path but after some time firewall loose the default route added through CLI and again traffic start traversing through ISP -A path.

Kindly suggest.

Re: ISP Redundancy - 2 default route pointing to different ISP

AlekseiShelepov — Tue, 14 Aug 2018 14:29:05 GMT

Yes, that's a normal behaviour.

There shoud be one manually configured default route pointing to the primary ISP. Other settings are taken from ISP redundancy configuration in policy.

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs. It changes the default route of the Security Gateway.

There are also some advanced configurations possible and there it might be required to change text files. But in your case it should be a standard config in SmartDashborad only.

Re: ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 14:47:57 GMT

Thanks for update. How can we acheive load sharing then if there is only default route pointing towards ISP -A and we want traffic should traverse through both links?

Re: ISP Redundancy - 2 default route pointing to different ISP

_Val_ — Tue, 14 Aug 2018 14:54:10 GMT

Make sure both GWs have your GW (or GWs if it is a cluster) have both default routes configured on OS level. Use WebUI or clish to setup. WIth clish, do not forget to type in "save config" command.

Re: ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 15:09:41 GMT

Hi Valeri.

I didnt understand. Gateway is in standalone deployment and not part of cluster. Are you talking about configure through clish? What is the command to add default route through clish. If i add the route, will it remain permanent in routing table. And isp redundancy will also work in case in load sharing one 1 isp goes down then there will be only one default route pointing to another Isp. As soon as isp is up again routing table will have both routes?

Thanks

Re: ISP Redundancy - 2 default route pointing to different ISP

_Val_ — Tue, 14 Aug 2018 15:16:08 GMT

Before we go any further, are you using the same NIC to connect to both ISPs?

Re: ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 15:21:59 GMT

No. On gateway ISP links are connected to two different interfaces. Example : ISP - A on eth1 and ISP - B on eth2

Re: ISP Redundancy - 2 default route pointing to different ISP

_Val_ — Tue, 14 Aug 2018 15:33:46 GMT

Perfect, that is the requirement for ISP redundancy. Now, make sure on OS level each of the interfaces has a default route defined for it. Which version of software are you using?

Re: ISP Redundancy - 2 default route pointing to different ISP

_Val_ — Tue, 14 Aug 2018 15:40:20 GMT

If you are on Gaia, use

set static-route default nexthop gateway address  on|off

to add or delete a static route.

Always conclude with

save config

Re: ISP Redundancy - 2 default route pointing to different ISP

Ankur_Datta1 — Tue, 14 Aug 2018 15:48:03 GMT

I Ran same command to configure defaul route to back isp and done save config as well. This was ran in normal prompt where we can see configuration or configure using set command.

Further if i test ISP redundancy, i remove cable from port eth1 (primary isp) routing table shows default route to backup isp. But when i plug cable back another default route dont show in routing table. I need to check what route goes missing( the configured through cli or web gui) and will update you.

Re: ISP Redundancy - 2 default route pointing to different ISP

Mahir_Ali_Ahmed — Thu, 28 Feb 2019 14:44:48 GMT

Hi Ankur,

Any luck finding the right answer? I am having the same issue.

Regards,

Mahir

Re: ISP Redundancy - 2 default route pointing to different ISP

denis-stl — Thu, 27 May 2021 11:40:06 GMT

May be check on sk95249 How to configure multiple routes to the same network host in Gaia OS?