topic Re: ISP Redundancy - NAT in Firewall and Security Management

ISP Redundancy - NAT

dede79 — Wed, 01 Feb 2023 15:11:14 GMT

Hello,

as tested outbound traffic hide-nat works with ISP redundancy (act/standby) when selecting hide behind gateway in the network object. Solution should be sk25152.

Is there an option to do so with dynamic objects? Most customers use manual nat with groups in source column.

I tested in lab with 2 dynamic objects:

[Expert@ISPgw01:0]# dynamic_objects -l

object name : DYN_ISP_A
range 0 : 0.0.0.0 255.255.255.255

object name : DYN_ISP_B
range 0 : 0.0.0.0 255.255.255.255

Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

created the same objects in dashboard and made 2 nat rules:

If ISP A fails default route is switched to ISP B but the still the public hidenat IP of ISP A is used - Rule 5 always matches.

Version R81.10

Re: ISP Redundancy - NAT

G_W_Albrecht — Wed, 01 Feb 2023 15:53:33 GMT

>> Since $FWDIR/bin/cpisp_update script looks really different than in the sk I did not change it.

You have too - enter the needed lines as shown in sk25152 or the Dynamic objects will not change. sk25152 has more NAT rules and ARP Requests for the Manual NAT IP to be taken care of.

Re: ISP Redundancy - NAT

Wolfgang — Wed, 01 Feb 2023 17:11:01 GMT

@dede79 What do you want to achieve? The „hide behind gateway“ setting is the solution for outgoing connections and ISP redundancy. You don‘t wrote what‘s your problem. You wrote „ Solution should be sk25152“ but which problem?

Re: ISP Redundancy - NAT

dede79 — Thu, 02 Feb 2023 10:21:34 GMT

OK, I think I skipped the "add" in the sk - now it works - manual HNAT Rules...manual SNAT in/out for the DMZ Servers - great!

Re: ISP Redundancy - NAT

Jones — Thu, 28 Sep 2023 12:37:11 GMT

Hi,

sk25152 describes a script for two ISP's in a loadsharing solution. From R81.10 more then two ISP's are supported. So what about a High Available solution with three ISP's, that should also be possible. What lines in the cpisp_update are then needed for this solution?

Grtz Jones

Re: ISP Redundancy - NAT

Jones — Thu, 19 Oct 2023 07:19:29 GMT

I got a reply from Check Point support. They updates sk25152 and gave me the cpisp_update lines for 3 ISP's that I added it in this post. Don't forget to add two extra lines on the CLI:

dynamic_objects -n DYN_ISP_C
dynamic_objects -o DYN_ISP_C -r 0.0.0.0 0.0.0.0 -a

Re: ISP Redundancy - NAT

dede79 — Thu, 22 Feb 2024 13:22:33 GMT

Just have same config with R81.20 but not working...

Do the dynamic-objects / object names in the script MUST be exactly "DYN_ISP_A" and so on or can I use other names like "DYN_ISP_COLT"....?

Regardinf ISP Red in loadsharing and sk25152- there is still mentioned that the solution is only for HA. So there the only option is hide-behind-gateway ?

Re: ISP Redundancy - NAT

dede79 — Thu, 22 Feb 2024 13:27:13 GMT

are you really able to hide everything behind gateway in you environments? No need to use specific IPs for NAT?

Re: ISP Redundancy - NAT

dede79 — Tue, 05 Mar 2024 09:58:39 GMT

Update from TAC: sk25152 not supportet from R81.10 upwards. Supportet workaround would be using manual nat rules with zone in destination field.

Re: ISP Redundancy - NAT

cyberfinder — Wed, 12 Jun 2024 21:13:43 GMT

specific Ip hide NAT will work with ISP load sharing mode ? as i have tried seems like its not supported.