topic Re: Dual ISP and SIC management in General Topics

Dual ISP and SIC management

Martin_Raska — Tue, 20 Apr 2021 07:27:42 GMT

Hello mates,

I need your advice. The customer has 3600HA which are managed over the Internet via public IP. So SIC and policy install is going from SMS to cluster via External Public IP of the cluster.

Now the fun part. They have two ISP, with two separate IP pools. Is there any way how to configure management SIC or the object of GW to use any HA for management? I know what happens if ISP A fail, is there way to transfer SIC and policy install to ISP B?

When ISP A fail:

Doing some manual dNAT for GW IP at SMS side? Change traffic to ISP B?

Change IP of cluster in SmartConsole and install?

Re: Dual ISP and SIC management

PhoneBoy — Tue, 20 Apr 2021 21:25:43 GMT

What is doing the ISP Redundancy/NAT in this case: a Check Point gateway or something else?
Either way, this SK is probably relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100583&partition=Advanced&product=Quantum

To be clear, SIC is based on certificates, so doesn’t care so much about the IP used.
However, the IP the gateway connects to for logging and the IP allowed via implied rules is definitely relevant.

I suspect this will require modifying the masters file to achieve (mentioned in the above SK), though I’m not 100% sure you can specify two IPs for management.

Re: Dual ISP and SIC management

Martin_Raska — Wed, 21 Apr 2021 09:55:12 GMT

Currently, there is not any NAT in place, SMS has public IP and GW Cluster has two external eths with two public IPs from both ISP. ISP loadbalance is configured on CP Cluster. Cluster has main IP from ISP A, so policy install and SIC communication is realized to ISP A public IPs. The question is what happens if ISP A fail? How to install policy via ISP B public IP?

My assumption which might work when ISP - A fail:

Doing some temporal manual dNAT (x.x.x.x - ISP A to y.y.y.y - ISP B) for connection from SMS to GW

or Change IP of cluster to public IP from ISP B in SmartConsole and try install policy?

Re: Dual ISP and SIC management

PhoneBoy — Wed, 21 Apr 2021 15:19:11 GMT

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

Re: Dual ISP and SIC management

Martin_Raska — Wed, 28 Apr 2021 08:07:01 GMT

I can confirm that its working, just change IP of cluster and its members and you are good go, then policy install. Thanks.

Re: Dual ISP and SIC management

starmen2000 — Wed, 23 Aug 2023 14:56:44 GMT

Hi ,

Once ISP1 goes down, do I alway need to change the main IP of Gateway on the Smartconsole to push the policy or make sure Gateway send the logging? Is there any automatic method for that?

Ercan

Re: Dual ISP and SIC management

PhoneBoy — Wed, 23 Aug 2023 19:49:31 GMT

Unfortunately, not at this time.

Note that when the primary ISP goes down, the gateway should store logs locally until the primary ISP comes back up and can re-establish a logging connection.
Which means the logs won't actually be lost, they will just not be available while ISP2 is the active one.