topic Re: Second ISP in Firewall and Security Management

Second ISP

velo — Fri, 21 Feb 2025 18:30:44 GMT

I have a pair of 6200s that I want to add a second ISP. It has a couple of VPNs configured on it to other Checkpoints I manage. My plan is this:

Under the default route there is the option to add multiple next hops with with different priority. I will make the primary as priority as 1 and the backup as 10. I will choose to monitor the default gateway of each next hop.
Setup Link Selection with probing under IPSEC

Any issues seen with this?

Thanks

Re: Second ISP

PhoneBoy — Fri, 21 Feb 2025 22:17:05 GMT

Does this gateway have any user traffic?
Possible you may need ISP Redundancy here.

Re: Second ISP

velo — Fri, 21 Feb 2025 22:59:43 GMT

Yes it has outbound user traffic (internet browsing) Won't this be taken care of my a second default route? Can you clarify what you mean?

Thanks

Re: Second ISP

the_rock — Fri, 21 Feb 2025 23:04:05 GMT

How many external IPs? Or to be precise, how many external interfaces?

Andy

Re: Second ISP

PhoneBoy — Fri, 21 Feb 2025 23:30:02 GMT

If you have user traffic, you'll likely have to deal with NAT (HIDE NAT in particular).
As NAT rules in SmartConsole cannot be made "per-ISP" (different NAT for different ISP), you need to use ISP Redundancy or Quantum SD-WAN.

Re: Second ISP

velo — Fri, 21 Feb 2025 23:36:22 GMT

Hey Andy

Just two. I have one now and am adding a second one.

Thanks

Re: Second ISP

the_rock — Fri, 21 Feb 2025 23:50:04 GMT

In that case, you may need ISP redundancy.

Andy

Re: Second ISP

velo — Fri, 21 Feb 2025 23:51:46 GMT

Thanks. What is the section about "Configure the Cluster to be the DNS server" That makes no sense to me.. Seems like it's not relevant.

To configure this on SMB firewalls is very easy, you just setup IPSEC link selection for VPNs, and NAT etc just work fine.

Re: Second ISP

velo — Sat, 22 Feb 2025 00:00:47 GMT

Thanks, I'm reading the docs. The DNS part doesn't make sense but I don't think that's relevant to my setup. I will see if I can lab it.

Can you explain what I will need to do for outbound NATs? If I have the box ticked under "NAT" to hide internal networks behind Gateway, will this take care of all outbound NAT when there is a failover?

Thanks

Re: Second ISP

the_rock — Sat, 22 Feb 2025 01:10:12 GMT

Yes, either you can do it that way or with manual nat, whichever works.

Andy

Re: Second ISP

AmirArama — Sun, 23 Feb 2025 10:03:38 GMT

Hi,

let's put things in order.

if you want to work as "legacy", you can set two default routes with different priorities and monitoring as you said, For VPN configure the Link selection with HA. and you good to go.

Legacy, because for internet traffic you will have a failover only once the 'IP Reachability detection' monitored target is DOWN or once your DG will stop responding to ping, and you can work only in Active/Standby mode by this.

if you want to get little more advanced method, you can use ISP Redundancy which provide you the ability to use Load Sharing between the lines for outbound internet, with a couple more features.

and if you want to get the best out of your multiple lines you can consider Quantum SD-WAN, in which you can benefit from specific steering abilities Per app/DSCP/User/updatable object, etc. advanced SLA configurations, application steering, (soon - Application level QOS), different custom NAT Per ISP configured in a user friendly way. seamless failover in VPN Traffic to another SD-WAN enabled Gateways, and much more.

For any method you choose, 'Hide behind GW' should work.
if you need custom Hide to Static NAT Per ISP, you can implement it via ISP Redundancy (not very user friendly way), or via the Quantum SD-WAN Rules in Infinity portal.

Re: Second ISP

velo — Tue, 25 Feb 2025 22:34:35 GMT

Thanks a lot for the detailed response. In the end I ended up using a second default route next hop, combined with IP Reachability Detection. I think setup the Link Monitoring under IPSEC. I also have the box ticked under NAT to hide behind Gateway.

Everything worked great an as expected.

Thanks

Re: Second ISP

the_rock — Tue, 25 Feb 2025 22:40:32 GMT

Great job! btw, just be careful with NAT setting, as it is global. if you wish to nat certain networks, do it from the net object itself and make sure disable nat is unchecked within community.

Andy

Re: Second ISP

velo — Tue, 25 Feb 2025 22:42:19 GMT

Thanks! 🙂 Yep, understood. Lucky this site is quite straightforward.

Re: Second ISP

the_rock — Tue, 25 Feb 2025 22:52:38 GMT

Great! Anywho, just something below to keep in mind 🙂

Andy

Disable NAT Inside the VPN Community

Even if NAT is configured it is possible to disable NAT inside the VPN community. If NAT is disabled, when a host behind a community member opens a connection with another host behind a community member, the original IP addresses are used. Other connections use the translated address.