This is not, strictly speaking a Check Point problem, but rather a solution to client's infrastructure limitations.

Client had single ISP with locally hosted proxy cluster.

They also had connectivity via WAN to two sites of their parent organization, each site having its own proxies.

While developing their business continuity planing, they were permitted to utilize the remote proxies for failover of their web traffic.

I've been asked to design the automation for the process.

Since dead proxy detection is covered by the PAC file already, the idea was to make local proxy unavailable during ISP outage.

TO address that an IP SLA script was utilized on their L3 Cisco switch to monitor for availability of the resources on the Internet and should those become unreachable, turn off the ports that lead to the local proxy.

PAC file (slightly modified version from Example PAC File | FindProxyForURL ) :

function FindProxyForURL(url, host) {

// If the hostname matches, send direct.
if (dnsDomainIs(host, "intranet.domain.com") ||
shExpMatch(host, "(*.abcdomain.com|abcdomain.com)"))
return "DIRECT";

// If the protocol or URL matches, send direct.
if (url.substring(0, 4)=="ftp:" ||
shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";

// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";

// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY aaa.aaa.aaa.aaa:8080; PROXY bbb.bbb.bbb.bbb:8080";

}

Cisco L3 switch configuration:

track 1 ip sla 1 reachability

delay down 30 up 30

!

ip sla 1

icmp-echo 8.8.8.8 source-ip aaa.bbb.ccc.ddd

frequency 60

ip sla schedule 10 life forever start-time now

!

event manager applet Link-Down

event track 1 state down

action 1.0 syslog msg "ISP Link is down"

action 1.1 cli command "enable"

action 1.2 cli command "conf t"

action 1.3 cli command "interface g0/0"

action 1.4 cli command "shut"

action 1.5 cli command "end"

action 1.6 syslog msg "Interface GigabitEthernet 0/0 down"

action 1.7 cli command "interface g0/1"

action 1.8 cli command "shut"

action 1.9 cli command "end"

action 1.10 syslog msg "Interface GigabitEthernet 0/1 down"

event manager applet Link-Up

event track 1 state up

action 1.0 syslog msg "ISP Link is up"

action 1.1 cli command "enable"

action 1.2 cli command "conf t"

action 1.3 cli command "interface g0/0"

action 1.4 cli command "no shut"

action 1.5 cli command "end"

action 1.6 syslog msg "Interface GigabitEthernet 0/0 up"

action 1.7 cli command "interface g0/1"

action 1.8 cli command "no shut"

action 1.9 cli command "end"

action 1.10 syslog msg "Interface GigabitEthernet 0/1 up"

Thus, the clients will be able to dynamically switch to the alternate proxy when primary ISP goes down.

One caveat is that the sessions established during primary ISP's downtime will persist via alternate proxy until browsers are restarted and, if proxy caching is enabled, the cache times out.