Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MattWoolven
Participant

2 external Interfaces running in clusterXL r80.20, help.

I have 2 node Cluster of Checkpoint 4400 running R80.20.

I will shortly be changing ISP but would like to run both ISP's IP addresses until I have migrated everything.

Can I have 2 interfaces set to External?

And if I can what implications will that have on routing?

Any help appreciated!

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

Yes you can do this.
You can set the default route to use a specific ISP.
MattWoolven
Participant

Thanks for your reply PhoneBoy,

So essentially if I add a new Clustered interface, set it to external in topology, my cluster will continue to use the current external as the default route until i change it to be the new one. 

Before I change to the new one I would like to be able to migrate services to the new IP range.  I assume I can just change the Static NAT for those services on the individual nodes?  (Nodes are in DMZ) 

 

0 Kudos
abihsot__
Advisor

Would it be good place to use build in feature - gateway properties -> other -> ISP redundancy? 

0 Kudos
mdjmcnally
Advisor

No it wouldn't be a good idea to use the ISP Redundancy feature.   Getting the DNS and NAT is a right pain if setting up properly.   I really hoped that Check Point would drop the feature altogether with R80 Gateways.

 

For what is wanted here which is moving services over and then removing the origional link then a Second Line is fine.

 

You can move over services with known IP simply by putting routes on the Gateway that use the Second ISP as the next hop.

For Services with unknown IP that connect too/from then will have to wait till move the DG over

 

 

abihsot__
Advisor

Hi there,

I never used ISP redundancy feature. Why it is so bad that you expected Checkpoint to remove it altogether?

0 Kudos
mdjmcnally
Advisor

I hoped that it would be removed as it is effectively unfinished.  Didn't expect just hoped it would be.

Load Sharing still sends ALL outbound traffic that has to be Static NATed, ie Servers over the Fist Listed ISP link

Only Hide NAT is actually Load Shared across the two lines.

Guess what in Load Sharing you cannot actually specify which is the First Listed ISP link.

You are restricted too 2 lines

Remote Access VPN Client didn't work properly with the feature.

Even working with TAC then struggled to get to work properly and still not 100% convinced that did.

Track features not great.

It had the potential but was never progressed.

Is now a little bit above the Connect Control feature.  Still there but not touched in ages, and never recommend to use,

 

 

The ONLY time where I would use is at a Branch Office where have two lines.

Used to build a VPN back to the Office where all Check Point so the Switchover with the Probing works.

NO Servers hosted at the Branch so ALL Traffic is simply set to be NAT behind the Gateway so can be Load Shared.

abihsot__
Advisor

Very useful information! Thanks for sharing
0 Kudos
MattWoolven
Participant

Thankyou for all your replies.

I will try it out and update the post as appropriate.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events