- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix! 
All Videos In One Space
.png)
This is not, strictly speaking a Check Point problem, but rather a solution to client's infrastructure limitations.
Client had single ISP with locally hosted proxy cluster.
They also had connectivity via WAN to two sites of their parent organization, each site having its own proxies.
While developing their business continuity planing, they were permitted to utilize the remote proxies for failover of their web traffic.
I've been asked to design the automation for the process.
Since dead proxy detection is covered by the PAC file already, the idea was to make local proxy unavailable during ISP outage.
TO address that an IP SLA script was utilized on their L3 Cisco switch to monitor for availability of the resources on the Internet and should those become unreachable, turn off the ports that lead to the local proxy.
PAC file (slightly modified version from Example PAC File | FindProxyForURL ) :
function FindProxyForURL(url, host) {
// If the hostname matches, send direct.
if (dnsDomainIs(host, "intranet.domain.com") ||
shExpMatch(host, "(*.abcdomain.com|abcdomain.com)"))
return "DIRECT";
// If the protocol or URL matches, send direct.
if (url.substring(0, 4)=="ftp:" ||
shExpMatch(url, "http://abcdomain.com/folder/*"))
return "DIRECT";
// If the requested website is hosted within the internal network, send direct.
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(dnsResolve(host), "10.0.0.0", "255.0.0.0") ||
isInNet(dnsResolve(host), "172.16.0.0", "255.240.0.0") ||
isInNet(dnsResolve(host), "192.168.0.0", "255.255.0.0") ||
isInNet(dnsResolve(host), "127.0.0.0", "255.255.255.0"))
return "DIRECT";
// DEFAULT RULE: All other traffic, use below proxies, in fail-over order.
return "PROXY aaa.aaa.aaa.aaa:8080; PROXY bbb.bbb.bbb.bbb:8080";
}
Cisco L3 switch configuration:
track 1 ip sla 1 reachability
delay down 30 up 30
!
ip sla 1
icmp-echo 8.8.8.8 source-ip aaa.bbb.ccc.ddd
frequency 60
ip sla schedule 10 life forever start-time now
!
event manager applet Link-Down
event track 1 state down
action 1.0 syslog msg "ISP Link is down"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "interface g0/0"
action 1.4 cli command "shut"
action 1.5 cli command "end"
action 1.6 syslog msg "Interface GigabitEthernet 0/0 down"
action 1.7 cli command "interface g0/1"
action 1.8 cli command "shut"
action 1.9 cli command "end"
action 1.10 syslog msg "Interface GigabitEthernet 0/1 down"
event manager applet Link-Up
event track 1 state up
action 1.0 syslog msg "ISP Link is up"
action 1.1 cli command "enable"
action 1.2 cli command "conf t"
action 1.3 cli command "interface g0/0"
action 1.4 cli command "no shut"
action 1.5 cli command "end"
action 1.6 syslog msg "Interface GigabitEthernet 0/0 up"
action 1.7 cli command "interface g0/1"
action 1.8 cli command "no shut"
action 1.9 cli command "end"
action 1.10 syslog msg "Interface GigabitEthernet 0/1 up"
Thus, the clients will be able to dynamically switch to the alternate proxy when primary ISP goes down.
One caveat is that the sessions established during primary ISP's downtime will persist via alternate proxy until browsers are restarted and, if proxy caching is enabled, the cache times out.
