https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185953#M34204 <P>Hi everyone,</P><P>I have some questions regarding ISP redundancy.</P><P>Currently, I have Checkpoint running production version R81.10 with the cluster active/stanby.<BR />On the cluster box, have a configuration like below&nbsp;<BR />- two ISP links on gateway<BR />- dynamic routing OSPF protocol<BR />- site-to-site vpn&nbsp;<BR />- remote access vpn<BR />- incoming and outgoing nat</P><P>and just want to know if I would like to enable ISP redundancy on the existing cluster box&nbsp;</P><P>What are the challenges to achieving this need?</P><P>Thank you&nbsp;</P><P>best regards,</P><P>mgl</P> Sat, 08 Jul 2023 06:24:54 GMT leangm 2023-07-08T06:24:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185953#M34204 <P>Hi everyone,</P><P>I have some questions regarding ISP redundancy.</P><P>Currently, I have Checkpoint running production version R81.10 with the cluster active/stanby.<BR />On the cluster box, have a configuration like below&nbsp;<BR />- two ISP links on gateway<BR />- dynamic routing OSPF protocol<BR />- site-to-site vpn&nbsp;<BR />- remote access vpn<BR />- incoming and outgoing nat</P><P>and just want to know if I would like to enable ISP redundancy on the existing cluster box&nbsp;</P><P>What are the challenges to achieving this need?</P><P>Thank you&nbsp;</P><P>best regards,</P><P>mgl</P> Sat, 08 Jul 2023 06:24:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185953#M34204 leangm 2023-07-08T06:24:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185958#M34205 <P>ISP redundancy has quite a few limitations, mostly around SecureXL functionality. I would advise you to review those before making your decision.</P> Sat, 08 Jul 2023 08:14:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185958#M34205 _Val_ 2023-07-08T08:14:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185974#M34212 <P>I have this running and it works pretty well.&nbsp; Remember you still only have one "Default" gateway - e.g ISP-1.&nbsp;</P><P>We statically route some destinations out of ISP-2.&nbsp; We also use PBR to route some stuff via ISP-2.</P><P>ISP Redundancy relies on the ability (or not) to ping upstream IP's to tell if the line is up and healthy or not, and therefore whether to fail over or not.&nbsp; So remember, if both ISP circuits are from the same telco and that telco have an issue, it could affect the ability for both of the firewall's ISP lines to determine which is healthiest.&nbsp; I experienced this rather shaky meltdown recently and basically had little option but to wait for the telco to fix their issue.&nbsp; So for best resilience you want to use different telco's and ensure their cables in the ground don't run up the same street to your building...&nbsp; You know, the street that has a JCB about to start digging the road up, and both of your ISP lines with it&nbsp;<span class="lia-unicode-emoji" title=":face_with_rolling_eyes:">🙄</span></P> Sat, 08 Jul 2023 22:40:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185974#M34212 biskit 2023-07-08T22:40:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185976#M34214 <P>what did you mean by review?</P><P>the services running on Checkpint already describe here.&nbsp;</P><P>&nbsp;</P> Sun, 09 Jul 2023 05:47:32 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185976#M34214 leangm 2023-07-09T05:47:32Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185989#M34219 <P>What&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/181">@_Val_</a>&nbsp;was suggesting was to review the relevant documentation.<BR />However, I think most of those limitations have been resolved in current releases.</P> Sun, 09 Jul 2023 15:33:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/ISP-redundancy-Cluster/m-p/185989#M34219 PhoneBoy 2023-07-09T15:33:17Z