This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pgestido
Explorer
‎2025-07-01 11:33 AM

ISP Redundancy 101

Hi:

I have questions about ISP redundancy (I am working with R81.20)

I will describe a basic scenario

One Gw with 

LAN interafce 192.168.1.1 (LAN is 192.168.1.0)

ISP1 Interface (1.1.1.1, ISP Gw 1.1.1.2)

ISP2 Interface (2.2.2.1 ISP Gw 2.2.2.2)

1) When configuring ISP Reduandancy should I configure 2 default routes in GAIA? or is it configured automaticaly by ISP Redundancy?

2) If you configure a NAT Hide (behind the Gateway) I guess the traffic is NATed with the IP of the ISP the traffic is going out. Is that right?

3) What happens If I NAT inside network with ISP1 IP (1.1.1.1). It may happen that with ISP reduandancy the outgoing traffic is getting out by ISP2. Will the gateway NAT the traffic (going out by ISP2) with ISP1 IP ?

Thanks for your help,

Pablo

0 Kudos
6 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-07-01 12:24 PM

1) When configuring ISP Reduandancy should I configure 2 default routes in GAIA? or is it configured automaticaly by ISP Redundancy?

 

I would configure that in case of main link failure.

2) If you configure a NAT Hide (behind the Gateway) I guess the traffic is NATed with the IP of the ISP the traffic is going out. Is that right?

yes

3) What happens If I NAT inside network with ISP1 IP (1.1.1.1). It may happen that with ISP reduandancy the outgoing traffic is getting out by ISP2. Will the gateway NAT the traffic (going out by ISP2) with ISP1 IP ?

i believe so

 

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-07-02 02:28 AM
In response to the_rock

You are wrong - 1.) When an ISP link state changes, the $FWDIR/bin/cpisp_update script runs on the Security Gateway. This script changes the default route of the Security Gateway

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

For 2.) see https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

Also answer to 3.) is false ! After default route is changed the traffic will go out with ISP2 IP.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-02 04:43 AM
In response to G_W_Albrecht

Not based on my experience with the customers. I had 3 customers experience the issue where if you have ONLY 1 default gateway, if main link goes down, bunch of stuff wont work. You are welcome to test it in the lab and Im positive you would see exact same results.

Andy

Best,
Andy
0 Kudos
Ave_Joe
Collaborator
‎2025-07-01 05:22 PM

  • I recommend starting with sk61692.
  • The NAT piece is important.  You will have to uncheck the "Hide internal networks behind the Gateways external IP" in the gateways properties.
  • All internal networks objects will need to be changed to "Hide behind the gateway" and selecting the correct gateway.
  • For VPN traffic to work as needed in all link failure cases I recommend looking at sk180956.

Hope this helps.

the_rock
MVP Platinum
MVP Platinum
‎2025-07-01 05:24 PM
In response to Ave_Joe

Yup...totally valid points @Ave_Joe 

Andy

Best,
Andy
0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2025-07-02 12:55 AM

See https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten... for configuration steps ! When an ISP link state changes, the $FWDIR/bin/cpisp_update script runs on the Security Gateway: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

sk32225 - Configuring ISP Redundancy so that certain traffic uses specific ISP Link

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events