Network Topology:
ISP Redundancy : Active/Standby Mode
Source: Host_A IP : 11.201.6.171
Host_B IP : 11.201.6.172
Destination is XYZ Server IP: 142.250.205.238
ISP-1 NAT Public IP: 116.113.114.25 (From pool)
ISP-2 NAT Public IP: 58.143.112.130 (From Pool)
I created a manual NAT rule for this like below
Outbound Connection we need:
| NAT Rule No | Original Source | Original Destination | Original Service | Translate Source | Translate Destination | Translate Service |
| 1 | 11.201.6.171 | 142.250.205.238 | https | 116.113.114.25 | Original | Original |
| 2 | 11.201.6.171 | 142.250.205.238 | https | 58.143.112.130 | Original | Original |
| 3 | 11.201.6.172 | 142.250.205.238 | https | 116.113.114.26 | Original | Original |
| 4 | 11.201.6.172 | 142.250.205.238 | https | 58.143.112.131 | Original | Original |
Challenge : If ISP-1 once goes down then NAT Rule No-1 will always hit and its not going to hit the NAT Rule No-2 and my internal system 11.201.6.171 unable to reach the XYZ Server IP: 142.250.205.238.
To resolved this issue We plan to implement Dynamic Object.
Below is our POA
| Object Name | Comment |
| DYN_ISP_A | ISP 1 |
| DYN_ISP_B | ISP 2 |
| Object Name | Comment |
| HOST_INTERNAL | 11.201.6.171 |
| HOST_INTERNAL1 | 11.201.6.172 |
| Object Name | Comment |
| HOST_VALID_ISP_A | 116.113.114.19 |
| HOST_VALID_ISP_B | 58.143.112.129 |
Manual NAT Rule:
| Original Source | Original Destination | Original Service | Translate Source | Translate Destination | Translate Service |
| HOST_INTERNAL | DYN_ISP_A | https | HOST_VALID_ISP_A | Original | Original |
| HOST_INTERNAL | DYN_ISP_B | https | HOST_VALID_ISP_B | Original | Original |
| HOST_INTERNAL1 | DYN_ISP_A | https | HOST_VALID_ISP_A | Original | Original |
| HOST_INTERNAL1 | DYN_ISP_B | https | HOST_VALID_ISP_B | Original | Original |
On the Security Gateway / each member of ClusterXL, run the 'cpstop' command.
1. Transfer the cpisp_update file to the both gateways ($FWDIR/bin/ directory) using scp tool.
2. Stop the Standby Member First (cpstop)
When running the commands below, we have to use the exact object name from SmartConsole
(case-sensitive).
[Expert@HostName]# dynamic_objects -n DYN_ISP_A
[Expert@HostName]# dynamic_objects -n DYN_ISP_B
[Expert@HostName]# dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
[Expert@HostName]# dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a
3. Convert the cpisp_update file script to Unix format (dos2unix
$FWDIR/bin/cpisp_update)
4. Make the script executable (chmod +x $FWDIR/bin/cpisp_update)
5. Start the service on Standby Member (cpstart)
Repeat Steps 1-5 on the Other Gateway
We can see which ISP link is up with this command: tail -f /tmp/cpisp_state
File: $FWDIR/bin/cpisp_update : (Refer sk25152)
Add the following configuration to have a Primary/Backup ISP solution (it will allow the Primary ISP to take back control after it is up again):
Challenges Question 1: We already configured sk32073 (Configuring Cluster Addresses on Different Subnets) and its running on the production so is this going to impact the Dynamic Object implementation?
Challenges Question 2: We also have a one internal server server communication and that routes towards the external sub-interface eth1-01.x and route is also created and its working fine but if I configured the Dynamic Object rule then I am sure its hit the access control rule and then NAT Rule-1 and the source 11.201.6.171 unable to reach to the Internal Server.
Its complicate and its running on a critical environment so please need all of your assistance will be Great.
Regards
| User | Count |
|---|---|
| 11 | |
| 10 | |
| 8 | |
| 7 | |
| 7 | |
| 5 | |
| 3 | |
| 3 | |
| 3 | |
| 2 |
Tue 04 Mar 2025 @ 04:00 PM (CET)
Check Point | WIZ : Powering the Next Era of Cloud Security - AMERICASTue 11 Mar 2025 @ 05:00 PM (CDT)
Under the Hood: Configuring Site to Site VPN with Azure Virtual WAN and CloudGuard Network SecurityTue 04 Mar 2025 @ 04:00 PM (CET)
Check Point | WIZ : Powering the Next Era of Cloud Security - AMERICASTue 11 Mar 2025 @ 05:00 PM (CDT)
Under the Hood: Configuring Site to Site VPN with Azure Virtual WAN and CloudGuard Network SecurityFri 21 Mar 2025 @ 10:00 AM (CET)
CheckMates Live Netherlands - Sessie 34: Smart-1 Cloud & Infinity Events
