https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30116#M1236 <HTML><HEAD></HEAD><BODY><P>Yes.&nbsp;After I unchecked the box "Route traffic through this connection by default" the issue seems to be resolved.</P><P></P><P>Thank you very much!</P></BODY></HTML> Fri, 09 Mar 2018 14:12:02 GMT Pedro_Espindola 2018-03-09T14:12:02Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30111#M1231 <HTML><HEAD></HEAD><BODY><P>Hello everyone,</P><P></P><P>I have a centrally managed 1470 appliance with 2 internet connections in High Availatbility:</P><P>1. A adsl link connected to DMZ port and ISP redundancy priority 1</P><P>2. A dedicated link connected to WAN port and ISP redundancy priority 2</P><P></P><P>Link 1 is fast and great for users, but has upload limit and is unreliable for publications. So I tried to configure a PBR for&nbsp;the&nbsp;dmz network&nbsp;to use link 2:</P><P></P><P>dst:Any&nbsp; src:172.16.30.0/24&nbsp;&nbsp;port:Any&nbsp; next-hop:Link2</P><P></P><P>I also configured automatic static NAT in the corresponding object&nbsp;in SmartConsole.</P><P></P><P>The problem is that when the server tries to reach the internet for updates and other checks it will use the correct link for a while and then start to fail. When this happens, fw monitor shows this:</P><P>o:WAN</P><P>O:DMZ</P><P></P><P>Access from the internet to the server continues to work.</P><P></P><P>Restarting the internet connection solves the problem for a few hours.</P><P></P><P>I also tried using the external network gateway:</P><P></P><P><SPAN>dst:Any&nbsp; src:1<SPAN>72.16.30</SPAN><SPAN>.</SPAN><SPAN>0</SPAN><SPAN>/24</SPAN></SPAN><SPAN>&nbsp;port:Any&nbsp; next-hop:&lt;external-gateway&gt;</SPAN></P><P></P><P>What am I doing wrong?</P></BODY></HTML> Thu, 15 Feb 2018 20:15:57 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30111#M1231 Pedro_Espindola 2018-02-15T20:15:57Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30112#M1232 <HTML><HEAD></HEAD><BODY><P>At least on regular appliances, ISP Redundancy and PBR are mutually exclusive.</P><P>That may be the case here... have you opened a case with TAC?</P><P><A class="link-titled" href="http://www.checkpoint.com/support-services/contact-support/index.html" title="http://www.checkpoint.com/support-services/contact-support/index.html">Contact Support | Check Point Software</A>&nbsp;</P></BODY></HTML> Fri, 16 Feb 2018 21:27:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30112#M1232 PhoneBoy 2018-02-16T21:27:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30113#M1233 <HTML><HEAD></HEAD><BODY><P>I see. But then why give us this option?</P><P></P><P><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/63223_PBR_Link.PNG" style="width: 620px; height: 272px;" /></P><P></P><P>I will open a service request, but I wanted to open this discussion about the differences between SMB and regular appliances and the usage of these features.</P></BODY></HTML> Tue, 20 Feb 2018 18:30:15 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30113#M1233 Pedro_Espindola 2018-02-20T18:30:15Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30114#M1234 <HTML><HEAD></HEAD><BODY><P>This is supported according to <EM>Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.75 p.58:</EM></P><P></P><P><EM><STRONG>ISP Redundancy - supported in IPv4 connections only</STRONG><BR />Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device &gt; Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.<BR />- Clear the <STRONG>Route traffic through this connection by default</STRONG> checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.</EM></P><P></P><P>And that is not all - i know of customers using this feature successfully, too <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /> !</P></BODY></HTML> Wed, 21 Feb 2018 09:27:29 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30114#M1234 G_W_Albrecht 2018-02-21T09:27:29Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30115#M1235 <HTML><HEAD></HEAD><BODY><P>Did you get the issue resolved yet?</P></BODY></HTML> Wed, 07 Mar 2018 12:26:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30115#M1235 G_W_Albrecht 2018-03-07T12:26:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30116#M1236 <HTML><HEAD></HEAD><BODY><P>Yes.&nbsp;After I unchecked the box "Route traffic through this connection by default" the issue seems to be resolved.</P><P></P><P>Thank you very much!</P></BODY></HTML> Fri, 09 Mar 2018 14:12:02 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/PBRs-and-ISP-redundancy-on-SMB-appliances/m-p/30116#M1236 Pedro_Espindola 2018-03-09T14:12:02Z