Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

Redundant ISP on same external interface

Jump to solution

Hello,

We have 1 cluster of 2 firewalls. Each has 4 ethernet interfaces which are configured as below:

- Eth1 - Internal (trusted)

- Eth2 - Internet (untrusted)

- Eth3 - Sync (cross connect 2 FW)

- Eth4 - Mgmt

Now we want to add 1 more internet link for redundancy. I'm not sure if we need additional Ethernet port to connect to the 2nd internet link; or can we configure 2nd address on the existing Internet interface (Eth2). I made some searches and found some Checkpoint documents but steps listed there seem to be for 2 different interfaces; 1 interface is also mentioned but I'm not sure if it works in HA setup (2 firewall cluster)

Thanks,

Hiep.

1 Solution

Accepted Solutions
Highlighted
Collaborator

You may configure your external interface with VLANs the same behaviour as with any other Interface. Additionally you need to setup in front a VLAN capable switch where both ISP links will be terminated. You need to setup this switch with two VLANs (same IDs as you configured the FW) and assign two tagged ports for each FW and one port for each VLAN for each ISP.  Once you have them configured you need to choose the way of redundancy for your Internet, load balancing or failover.

For higher availability on the switch level you can use two switches where each ISP will terminate to each switch and each FW to  the different switches.

View solution in original post

3 Replies
Highlighted
Advisor

Hi,

The simplest solution is with two external interfaces defined, one for each ISP. Since you have a clustered environement, each gateway in the cluster requires a corresponding external link for each ISP as you have today. Your question was to use the same external link for two ISP. In that case you have to have different subnets configured for each ISP on that interface in Gaia . Remove IP-address from eth2 and add two VLANs instead. Will have to have someone to confirm this. 

You probably want to use this redundancy mode:

Primary/Backup: New connections use the primary link as its ISP. In the event of primary link failure, connections switch to the backup link, and any new connections use the backup link as well. Upon recovery of the primary link, any new outgoing connections begin to use it again while the existing connections on the backup link continue to use it until completion.

There are other things to consider when setting up redundant ISP. Follow this link How to configure ISP redundancy

Highlighted
Collaborator

You may configure your external interface with VLANs the same behaviour as with any other Interface. Additionally you need to setup in front a VLAN capable switch where both ISP links will be terminated. You need to setup this switch with two VLANs (same IDs as you configured the FW) and assign two tagged ports for each FW and one port for each VLAN for each ISP.  Once you have them configured you need to choose the way of redundancy for your Internet, load balancing or failover.

For higher availability on the switch level you can use two switches where each ISP will terminate to each switch and each FW to  the different switches.

View solution in original post

Highlighted
Contributor

Hello, 

yes i just had the case ...
ISP1 on ETH1 as untagged VLAN , ip directly configured on the physical interface.
ISP2 on ETH1 as tagged VLAN, ip configured on eth1.35 ...

ISP redundancy was NOT working, only the ISP2 on eth1.35 was shown as up ...

then we changed ISP1 to VLAN 10, tagged on eth1.10 

this worked instantly!

so this is "one" of the limitations when untagged and tagged VLAN´s are configured on the same physical inteface!

0 Kudos