Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Michael_Adjei
Participant
Jump to solution

ISP Redundancy (3 or more ISPs) and Policy Based-routing in R80.30

Hello Checkmates,

Does anyone know if

 - ISP Redundancy with more than two links (3 or more Internet links)

 - Policy Based Routing (route to different ISPs for different types or traffic and from different subnets)

is going to supported anytime soon? There appears to be some enhancements in R80.30 for Advanced Networking in this regard but I am unable to download the ISO for the public beta to test for some strange reason.

The R80.30 "Whats new" states:

Advanced Routing

  • Support of Multihop Ping and Multiple ISPs in Policy-Based Routing.
  • Support of Multihop Ping in Static Routes.
  • Support of BFD in Static Routes.
  • Support of VSX VS-ID in Netflow.

Am I the only one who thinks that this feature set is long overdue for Check Point considering their capability and innovation ability over the years?

We have customers asking for this for various reasons especially with all the noise being made by other vendors about SD-WAN.

Any help with this question will be much appreciated.

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

As far as I know, more than two ISPs is not supported with ISP Redundancy in R80.30.

I don't believe PBR has a limit with more than two ISPs, though.

In general, we are addressing SD-WAN through partnerships with other vendors (e.g. Silverpeak and Velocloud).

See also:  https://community.checkpoint.com/t5/SD-WAN/Early-Availability-Program-for-Network-Security-as-a-Serv...

View solution in original post

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

As far as I know, more than two ISPs is not supported with ISP Redundancy in R80.30.

I don't believe PBR has a limit with more than two ISPs, though.

In general, we are addressing SD-WAN through partnerships with other vendors (e.g. Silverpeak and Velocloud).

See also:  https://community.checkpoint.com/t5/SD-WAN/Early-Availability-Program-for-Network-Security-as-a-Serv...

0 Kudos
Michael_Adjei
Participant

Thanks Dameon for your response. We appreciate Check Mates to be able to ask these type of questions here.

Quite disappointing to know it is not going to be supported because we have customers asking for this.

One in particular who is currently looking to utilise a 3rd ISP line and use that to route out a specific subnet to separate out corporate traffic from some other types of traffic.

They cannot quite seem to understand why it appears not to be possible to do this still having gone through the various major OS and Gateway Software changes (and hardware) with Check Point over the years.

So just out of interest, to close this question, do you know if the addition of this feature set represents such a large change in the underlying code that it is a deterrent or it simply is not such a priority on the RFE list?

Does CP plan to support it at all on regular Gateways in the future?

Thanks

PhoneBoy
Admin
Admin

ISP Redundancy and Policy-Based Routing (PBR) are two ways to do the exact same thing.

ISP Redundancy has existed for a while now (pre-Gaia OS) and was meant to handle specific use cases.

Policy-Based Routing is more general functionality that, with the enhancements added in R80.30, make ISP Redundancy, well, mostly redundant.

Bottom line: I would try the R80.30 EA and see if you can achieve the desired results with PBR instead of ISP Redundancy.

If you can't, then it's possible an RFE is needed, and we should involve your local office in this process.

Michael_Adjei
Participant

Thanks Dameon. I have managed to download the EA now and will test this out.

My local SE team are also aware of this customer requirement so we are approaching it from that end too. Possibly an RFE.

Thanks for your response.

Paul_Surgeon
Participant

I'm also eagerly waiting to see what routing improvements Check Point plan to release in R80.30 and thereafter.

However I do wonder how much of the PBR routing improvements will be supported in VSX since that comes with a caveat list as long as one's arm. e.g. PBR limitations, VTI limitations, etc.

For the past two and a half years I've had to explain to business multiple times that Check Point is a very poor router and that the SonicWall it replaced was superior with regards to PBR routing. Requiring ISP link load balancers (e.g. F5) upstream of Check Point firewalls just to handle multiple ISP WAN links (3+) with multi-hop, dead link detection is ridiculous. Check Point's competitors have been doing it for many years.

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events