Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martin_Raska
Advisor
Advisor
Jump to solution

Dual ISP and SIC management

Hello mates,

I need your advice. The customer has 3600HA which are managed over the Internet via public IP. So SIC and policy install is going from SMS to cluster via External Public IP of the cluster.

Now the fun part. They have two ISP, with two separate IP pools. Is there any way how to configure management SIC or the object of GW to use any HA for management? I know what happens if ISP A fail, is there way to transfer SIC and policy install to ISP B?

 

When ISP A fail:

Doing some manual dNAT for GW IP at SMS side? Change traffic to ISP B?

Change IP of cluster in SmartConsole and install?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

View solution in original post

6 Replies
PhoneBoy
Admin
Admin

What is doing the ISP Redundancy/NAT in this case: a Check Point gateway or something else?
Either way, this SK is probably relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

To be clear, SIC is based on certificates, so doesn’t care so much about the IP used.
However, the IP the gateway connects to for logging and the IP allowed via implied rules is definitely relevant.

I suspect this will require modifying the masters file to achieve (mentioned in the above SK), though I’m not 100% sure you can specify two IPs for management.

Martin_Raska
Advisor
Advisor

Currently, there is not any NAT in place, SMS has public IP and GW Cluster has two external eths with two public IPs from both ISP. ISP loadbalance is configured on CP Cluster. Cluster has main IP from ISP A, so policy install and SIC communication is realized to ISP A public IPs. The question is what happens if ISP A fail? How to install policy via ISP B public IP?

 

My assumption which might work when ISP - A fail:

Doing some temporal manual dNAT (x.x.x.x - ISP A to y.y.y.y - ISP B) for connection from SMS to GW

or Change IP of cluster to public IP from ISP B in SmartConsole and try install policy?

0 Kudos
PhoneBoy
Admin
Admin

I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.

Martin_Raska
Advisor
Advisor

I can confirm that its working, just change IP of cluster and its members and you are good go, then policy install. Thanks.

starmen2000
Collaborator
Collaborator

Hi , 

Once ISP1 goes down, do I alway need to change the main IP of Gateway on the Smartconsole to push the policy or make sure Gateway send the logging? Is there any automatic method for that? 

BR

Ercan

0 Kudos
PhoneBoy
Admin
Admin

Unfortunately, not at this time.

Note that when the primary ISP goes down, the gateway should store logs locally until the primary ISP comes back up and can re-establish a logging connection.
Which means the logs won't actually be lost, they will just not be available while ISP2 is the active one.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events