topic Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2 in Firewall and Security Management

ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

DominusRex23 — Tue, 04 Nov 2025 15:17:24 GMT

Hi CheckMates,

I’m exploring a design where a Check Point gateway connects to two ISPs. The client’s requirement is:

LAN subnets should use ISP‑1 by default
WLAN subnets should use ISP‑2 by default
Both ISPs should be active simultaneously (Load Sharing, not HA)
If either ISP fails, traffic from both LAN and WLAN should fail over to the surviving ISP automatically

From my understanding, this would involve:

Enabling ISP Redundancy in Load Sharing mode to handle health monitoring and failover
Using NAT rules so each subnet hides behind its “preferred” ISP’s external IP, but can also fall back to the other ISP if needed
Optionally applying Policy‑Based Routing (PBR) to bias LAN traffic toward ISP‑1 and WLAN traffic toward ISP‑2 under normal conditions

Where I’m unsure:

Will NAT rules really switch cleanly during failover, or could I run into asymmetric routing?
Does PBR play nicely with ISP Redundancy, or could it “stick” to a dead ISP?

Has anyone here implemented something like this? I’d love to hear if this approach is solid, or if there’s a better way to achieve subnet‑specific ISP preference with automatic failover and zero human intervention.

Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

PhoneBoy — Tue, 04 Nov 2025 15:28:21 GMT

The fact you're talking about LAN/WLAN means you're discussing SMB appliances.
Generally ISPR and PBR aren't supported together: https://support.checkpoint.com/results/sk/sk167135

Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

DominusRex23 — Wed, 05 Nov 2025 02:16:02 GMT

Hi @PhoneBoy

Thanks for pointing that out. I actually wasn’t aware of that SK, so I’ll definitely look into it. Just to clarify, this setup is on enterprise Gaia gateways, not SMB appliances (I only used “LAN/WLAN” to describe internal segmentation).

The client’s requirement is zero human intervention in case of ISP failure, but they also want subnet‑specific steering (LAN → ISP‑1, WLAN → ISP‑2) under normal conditions. From what you’re saying, it sounds like ISP Redundancy and PBR can’t be combined, which raises the question:

On enterprise gateways, is there a supported way to achieve both automatic failover and subnet‑specific ISP preference without relying on PBR? Or is it really an either/or trade‑off

Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

PhoneBoy — Wed, 05 Nov 2025 03:26:25 GMT

You don't need ISP Redundancy for this, you can just use Multiple Default Routes with ECMP and PBR.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_Advanced_Routing_AdminGuide/Content/Topics-GARG/Routing-Options-Equal-Cost-Multipath.htm

However, I don't think you can define a different NAT for different ISP with this configuration.
You can do this with Quantum SD-WAN, though.

Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

TurgutKaplanogl — Thu, 06 Nov 2025 12:01:35 GMT

Hello,

You can fix your issue with SKs without any manuel configuration when ISP link down.

For Hide Nat: https://support.checkpoint.com/results/sk/sk174197

For Static Nat: https://support.checkpoint.com/results/sk/sk25152

Re: ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

Wolfgang — Thu, 06 Nov 2025 13:37:17 GMT

The best way to achieve your need is to use SD-WAN. SQ-WAN does all the magic, using both ISPs, sent traffic from network A via ISP A and traffic from network B via ISP B. And if one ISP is failing everything is sent via the other. It's simple to configure with SD-WAN policy.