cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Two ISP's with two appliances 4800 R80.10

Hello guys,

My scenario is as follows: I have two 4800 appliances and now two different ISPs. Each ISP connects to only 1 gateway. Can I work with both in active / standby? Remembering that each ISP connects to 1 gateway and not both. Does ISP redundancy do this? I would like to leave a working ISP and if it goes offline, the backup goes online. My biggest doubt is that if the main ISP that is in the active gateway falls, there will be a connection to the other ISP in the Firewall standby.

My solution:

- 2 Checkpoint 4800 appliance;

- R80.10 version firewall and managment;

Thanks.

Tags (3)
15 Replies
Highlighted
Admin
Admin

Re: Two ISP's with two appliances 4800 R80.10

This exact question came up here:  

TL;DR: It doesn't work that way.

Re: Two ISP's with two appliances 4800 R80.10

Easy - use HA Cluster and ISP redundancy !

- if the active cluster node fails, standby will take over, keeping the primary ISP

- if primary ISP fails, secondary will take over

Re: Two ISP's with two appliances 4800 R80.10

Will the ISP redundancy work with the schema that each ISP is physically connected on only 1 appliance?

The scenario is:

Firewall 1 -> ISP 1

Firewall 2 -> ISP 2

Only 1 port per ISP on 1 firewall and not both ISPs are on both appliances.

If the active firewall 1 fails, which has ISP 1 connected, will traffic be thrown to Firewall 2, which does not have ISP 1 connected?

0 Kudos
Admin
Admin

Re: Two ISP's with two appliances 4800 R80.10

No, this is not a supported configuration.

Please refer to the thread I linked previously, which discusses this exact issue.

Re: Two ISP's with two appliances 4800 R80.10

That's what I thought. I have to physically connect the two ISPs on both appliances for redundancy.

Thanks everyone.

0 Kudos
Aidan_Luby
Nickel

Re: Two ISP's with two appliances 4800 R80.10

Are the firewalls in the same location? We connect our ISP's to a switch then you can connect those WAN VLAN's to both the firewall appliances. If your ISP's both only give you one IP you can still use those just as the VIP's then use a different addressing scheme for the physical IP's.

So you can have ISP1 > Switch on vlan 1 > both checkpoints on VLAN 1 and setup physical IP's and a VIP for this vlan then do the same with a different VLAN/IP's for the other ISP connection.

Re: Two ISP's with two appliances 4800 R80.10

Hello Aidan,

The topology will look like this: ISP 1, located on DC1, connected to a core switch in VLAN X which in turn will connect to port X of FW1. ISP 2, located on DC2, connected to a core switch on the VLAN Y which in turn will connect to the FW2's X port. These switches are stacked, that is, they are part of the same "unit". In this way, what is the best approach for both ISPs to be connected, whether redundant or active?

Firewalls in active/standby mode or active/active ?

And about configuration of rules, NATs, static routes ?

Thanks.

0 Kudos

Re: Two ISP's with two appliances 4800 R80.10

This is an unsupported configuration and ClusterXL will not work. Please explain why you can not use a standard ClusterXL ISP Redundany / LS configuration!

0 Kudos

Re: Two ISP's with two appliances 4800 R80.10

As I explained above, can I use ISP Redundancy? Isps arrive on each side, connected to VLANs -> FW?

0 Kudos
Admin
Admin

Re: Two ISP's with two appliances 4800 R80.10

ISP Redundancy requires both ISPs to be reachable from both gateways.

If that is not the case with your configuration, it will not work.

0 Kudos

Re: Two ISP's with two appliances 4800 R80.10

Even every ISP having reach to the other side via switch / vlan? The core stack is interconnected between the DCs via fiber channel.

0 Kudos
Admin
Admin

Re: Two ISP's with two appliances 4800 R80.10

If the switch/VLAN configuration allow both gateways to reach both ISPs, then yes.

A proposed network diagram would be helpful to confirm.

0 Kudos

Re: Two ISP's with two appliances 4800 R80.10

Topology

0 Kudos
Admin
Admin

Re: Two ISP's with two appliances 4800 R80.10

It looks as if that should work.

0 Kudos

Re: Two ISP's with two appliances 4800 R80.10

Be careful when you are thinking what you define as ISP being "offline".

It is either problem on physical layer (port goes down for whatever reason) or on protocol layer (default gateway or any other along the path fails). First one it is in fact the best to happen. Second one will require that you monitor certain hosts on the Internet and initiate fail-over should certain criteria is satisfied. 

0 Kudos