This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jakub132620
Explorer
Tuesday

ISP redundancy questions

Hello,

We have a 9400 series appliance running Gaia R82, and we are planning to add a second Internet connection from another ISP.

After reading the R82 ClusterXL Administration Guide, I still have a few questions. I’m not sure if I understood everything correctly.

 

Let’s assume that we received an additional public IP address pool from both ISPs.

 

1) in Load Sharing mode, for outbound Internet traffic we can only use the “Hide behind gateway” NAT option?

2) What if we have a public IP address pool provided by the ISP? In that case, is it possible to use the “Hide behind IP address” option, or configure Manual NAT instead in load sharing option?

3) In Active/ Backup mode we are using maunla nat rules described in sk174197 and sk25152 ? 

4)

In the Administration Guide, in the “Incoming Connections” section, it is described that a server accessible from the Internet receives two public IP addresses, one from each ISP and we have two manula static rules.

Later, it is mentioned that the DNS query reaches the cluster. If I understood correctly, the cluster has a kind of built-in DNS functionality that can respond to DNS A record queries.

Does this mean that the organization must host its own DNS server internally, and that the DNS server cannot be located outside the company?

A lot of uncertainties came to my mind while reading the documentation. Could someone please clarify these points for me?

Thank you in advance for your answers.

 

0 Kudos
3 Replies
simonemantovani
MVP Gold
MVP Gold
Tuesday

Hello

about DNS resolution; the DNS query must be intercepted by the firewall, so DNS server must be behind the firewall.

In the past I configured this feature for a customer, and yes, DNS server are hosted on-premise; so this could be a limit; if your DNS provider supports some kind of availability monitor for your public IPs and some kind of failover maybe you can manage the switch between your ISP automatically. But it depends of who is managing and hosting your DNS zones.

0 Kudos
Jakub132620
Explorer
Tuesday
In response to simonemantovani

Thans for reply. What about ISP redundancy in load sharing mode. It's ony possible to use hide behind gateway option in this mode?

0 Kudos
PhoneBoy
Admin
Admin
Tuesday
In response to Jakub132620

For outbound connections, yes.
See: https://support.checkpoint.com/results/sk/sk34812

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    In-Person

    Fri 12 Jun 2026 @ 09:00 AM (CEST)

    Netzwerk- & Cloud-Workshop: Wien
    In-Person

    Tue 16 Jun 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    CheckMates Events