Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor

Dual ISP and SIC management

Jump to solution

Hello mates,

I need your advice. The customer has 3600HA which are managed over the Internet via public IP. So SIC and policy install is going from SMS to cluster via External Public IP of the cluster.

Now the fun part. They have two ISP, with two separate IP pools. Is there any way how to configure management SIC or the object of GW to use any HA for management? I know what happens if ISP A fail, is there way to transfer SIC and policy install to ISP B?

 

When ISP A fail:

Doing some manual dNAT for GW IP at SMS side? Change traffic to ISP B?

Change IP of cluster in SmartConsole and install?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

View solution in original post

4 Replies
PhoneBoy
Admin
Admin

What is doing the ISP Redundancy/NAT in this case: a Check Point gateway or something else?
Either way, this SK is probably relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To be clear, SIC is based on certificates, so doesn’t care so much about the IP used.
However, the IP the gateway connects to for logging and the IP allowed via implied rules is definitely relevant.

I suspect this will require modifying the masters file to achieve (mentioned in the above SK), though I’m not 100% sure you can specify two IPs for management.

0 Kudos
Martin_Raska
Advisor

Currently, there is not any NAT in place, SMS has public IP and GW Cluster has two external eths with two public IPs from both ISP. ISP loadbalance is configured on CP Cluster. Cluster has main IP from ISP A, so policy install and SIC communication is realized to ISP A public IPs. The question is what happens if ISP A fail? How to install policy via ISP B public IP?

 

My assumption which might work when ISP - A fail:

Doing some temporal manual dNAT (x.x.x.x - ISP A to y.y.y.y - ISP B) for connection from SMS to GW

or Change IP of cluster to public IP from ISP B in SmartConsole and try install policy?

0 Kudos
PhoneBoy
Admin
Admin

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

View solution in original post

Martin_Raska
Advisor

I can confirm that its working, just change IP of cluster and its members and you are good go, then policy install. Thanks.

0 Kudos