Solved: Re: Dual ISP and SIC management

Martin_Raska · ‎2021-04-20

Hello mates,

I need your advice. The customer has 3600HA which are managed over the Internet via public IP. So SIC and policy install is going from SMS to cluster via External Public IP of the cluster.

Now the fun part. They have two ISP, with two separate IP pools. Is there any way how to configure management SIC or the object of GW to use any HA for management? I know what happens if ISP A fail, is there way to transfer SIC and policy install to ISP B?

When ISP A fail:

Doing some manual dNAT for GW IP at SMS side? Change traffic to ISP B?

Change IP of cluster in SmartConsole and install?

PhoneBoy · ‎2021-04-21

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

View solution in original post

PhoneBoy · ‎2021-04-20

What is doing the ISP Redundancy/NAT in this case: a Check Point gateway or something else?
Either way, this SK is probably relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To be clear, SIC is based on certificates, so doesn’t care so much about the IP used.
However, the IP the gateway connects to for logging and the IP allowed via implied rules is definitely relevant.

I suspect this will require modifying the masters file to achieve (mentioned in the above SK), though I’m not 100% sure you can specify two IPs for management.

Martin_Raska · ‎2021-04-21

Currently, there is not any NAT in place, SMS has public IP and GW Cluster has two external eths with two public IPs from both ISP. ISP loadbalance is configured on CP Cluster. Cluster has main IP from ISP A, so policy install and SIC communication is realized to ISP A public IPs. The question is what happens if ISP A fail? How to install policy via ISP B public IP?

My assumption which might work when ISP - A fail:

Doing some temporal manual dNAT (x.x.x.x - ISP A to y.y.y.y - ISP B) for connection from SMS to GW

or Change IP of cluster to public IP from ISP B in SmartConsole and try install policy?

PhoneBoy · ‎2021-04-21

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

Martin_Raska · ‎2021-04-28

I can confirm that its working, just change IP of cluster and its members and you are good go, then policy install. Thanks.

starmen2000 · ‎2023-08-23

Hi ,

Once ISP1 goes down, do I alway need to change the main IP of Gateway on the Smartconsole to push the policy or make sure Gateway send the logging? Is there any automatic method for that?

BR

Ercan

PhoneBoy · ‎2023-08-23

Unfortunately, not at this time.

Note that when the primary ISP goes down, the gateway should store logs locally until the primary ISP comes back up and can re-establish a logging connection.
Which means the logs won't actually be lost, they will just not be available while ISP2 is the active one.

Are you a member of CheckMates?

Dual ISP and SIC management