topic ISP Redundancy in Firewall and Security Management

ISP Redundancy

smohammed — Fri, 05 Nov 2021 20:30:54 GMT

Team,

we have a DMZ cluster on our active site and DR site has standalone. we are going to add DR site to the existing cluster

what we do today is if the active site ISP goes down we turn on the WAN/ISP/External interface on the DR site Standalone though which then our internet traffic works

ISP at both the locations is same and it provides same CIDR range at both locations for ex 123.123.123.128/29 at both locations and our ISP does not do active standby it is active and continuously pass traffic so that's the reason we turn the interface down so that traffic duplication should not take place.

when we add DR site member to active site cluster we want all the interfaces to be up all the time and checkpoint do ISP redundance and make one ISP standby and one ACTIVE

what I thought is having all the members external interface connected to switch and then ISP from both the locations connect to that switch as gateway is same for both the locations

i need help with best approach to do this

Re: ISP Redundancy

PhoneBoy — Mon, 08 Nov 2021 02:47:48 GMT

I'm curious how the ISP knows to route traffic to one location versus the other if both sites have the same block.
Seems like that could be solved by using Dynamic Routing or similiar.

Re: ISP Redundancy

smohammed — Mon, 08 Nov 2021 15:06:55 GMT

I am not sure what ISP is doing on their end. when you say Dynamic routing what do you suggest as an example. currently on the default route on the members we have given gateway defined, can we define interface instead and does checkpoint has some feature to have active standby on the interface level

Re: ISP Redundancy

PhoneBoy — Mon, 08 Nov 2021 16:23:19 GMT

If you define an interface as the default route (versus a specific IP address), that will mean an ARP entry will be required for every server you connect to on the Internet.
This will cause the ARP table to full up and was problematic even on my home network.
It would fail spectacularly in an enterprise environment.

Dynamic Routing means using BGP or OSPF, which if you're not using it already may not necessarily be an effective strategy.
You really need to find out what the ISP is doing here.
That said, if it's just a matter of using a different next hop for the default route, you can set two of them and configure different priorities and a monitored address for each one.