cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

ISP Redundancy - 2 default route pointing to different ISP

Hi,

Can we add 2 default route on checkpoint firewall pointing to two different ISP.

for example:
0.0.0.0/0 ---> ISP A
0.0.0.0/0 ---> ISP B

I am trying to do load balancing between 2 ISP through ISP redundancy ( weight 50% for both ISP)

But due to default route pointing to ISP A. All traffic leaves through ISP A and ISP B is never utilized. As i add another default route on firewall for ISP B with same cost, Traffic start leaving ISP B as well. 

But after some time firewall removes ISP B route automatically. I want it to be in routing table always. Is this correct design?

I am doing hide NAT as well with 2 ISP external interface as well.

Thanks

12 Replies

Re: ISP Redundancy - 2 default route pointing to different ISP

Check these guides:

ISP Redundancy 

How To Configure ISP Redundancy 

To enable ISP Redundancy:

  1. Open the network object properties of the Security Gateway or cluster.
  2. Click Other > ISP Redundancy.
  3. Select Support ISP Redundancy.
  4. Select Load Sharing or Primary/Backup.
  5. Configure the links.
  6. Configure the Security Gateway to be the DNS server.
  7. Configure the policy for ISP Redundancy.
0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Hi Aleksei,

Thanks for your reply. I already configured ISP redundancy on firewall with option checked as load sharing. but in routing table i can only see 1 default route pointing to ISP A as configured through gaia web-portal. I added another default route through CLI:

set static-route default nexthop gateway address ISP-B on

now routing table shows 2 default route pointing to ISP - A and ISP - B 

S 0.0.0.0/0 via ISP - B, eth2, cost 0, age 5786
via ISP - A, eth1

i save the config. 

traffic is traversing through both path but after some time firewall loose the default route added through CLI and again traffic start traversing through ISP -A path.

Kindly suggest.

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Yes, that's a normal behaviour.

There shoud be one manually configured default route pointing to the primary ISP. Other settings are taken from ISP redundancy configuration in policy.

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs. It changes the default route of the Security Gateway.

There are also some advanced configurations possible and there it might be required to change text files. But in your case it should be a standard config in SmartDashborad only.

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Thanks for update. How can we acheive load sharing then if there is only default route pointing towards ISP -A and we want traffic should traverse through both links?

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Make sure both GWs have your GW (or GWs if it is a cluster) have both default routes configured on OS level. Use WebUI or clish to setup. WIth clish, do not forget to type in "save config" command.

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Hi Valeri. 

I didnt understand. Gateway is in standalone deployment and not part of cluster. Are you talking about configure through clish? What is the command to add default route through clish. If i add the route, will it remain permanent in routing table. And isp redundancy will also work in case in load sharing one 1 isp goes down then there will be only one default route pointing to another Isp. As soon as isp is up again routing table will have both routes?

Thanks

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Before we go any further, are you using the same NIC to connect to both ISPs?

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

No. On gateway ISP links are connected to two different interfaces.  Example : ISP - A on eth1 and ISP - B on eth2

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Perfect, that is the requirement for ISP redundancy. Now, make sure on OS level each of the interfaces has a default route defined for it. Which version of software are you using?

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

If you are on Gaia, use 

set static-route default nexthop gateway address  on|off 

to add or delete a static route. 

Always conclude with 

save config
0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

I Ran same command to configure defaul route to back isp and done save config as well. This was ran in normal prompt where we can see configuration or configure using set command. 

Further if i test ISP redundancy, i remove cable from port eth1 (primary isp) routing table shows default route to backup isp. But when i plug cable back another default route dont show in routing table. I need to check what route goes missing( the configured through cli or web gui) and will update you. 

0 Kudos

Re: ISP Redundancy - 2 default route pointing to different ISP

Hi Ankur,

Any luck finding the right answer? I am having the same issue.

Regards,

Mahir

0 Kudos