This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vedran_B
Participant
‎2018-04-19 02:23 AM

VSX cluster and two ISP providers

I’m in doubt about applying VSX cluster and Virtual Systems (VSs) in case of internet access over two ISP providers. I have two internet links from two different ISP providers and two Public DMZs subnets from every provider. The picture below shows connections between equipment and two providers.

 

I have a plan to change two firewalls (FW01 and FW02) with two Check Point 5600 appliances configured in Load Sharing (VSLS) VSX cluster. On the cluster two VSs will be configured, one VS for every ISP provider. On each VS OSPF routing protocol will be used for routing to the inside network, and default route on each VS for routing to the internet. Also, on each VS the following blades will be enabled: Firewall, Identity Awareness, Mobile Access, IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot, Anti-Spam, and Content Awareness. Does anyone has an experience with applying CP in this configuration. Any suggestions are welcome.

Regards,#

7 Replies
Vladimir
Champion
Champion
‎2018-04-19 07:41 AM

I presume that your ISPs given you address space smaller than the /24.

In which case I would suggest looking into ISP Redundancy:

as a possible solution and sandwich another layer 2 switch (or VLANs) between ISPs and the external interfaces of your VSX'.

Running just two VSX units in VSLS is a questionable proposition (in my personal opinion).

Using your design will complicate things for remote clients, as it will require MEP and you will rely on external probing to route inbound traffic to DMZs.

How many other VS' are you expecting to run on this cluster?

0 Kudos
Vedran_B
Participant
‎2018-04-20 01:26 AM
In response to Vladimir

Hi Vladimir,

Yes, you're right, address spaces from ISPs are smaller than the /24.

 

I would like to have HA with two CP5600 appliances and route each public DMZ subnet through corresponding provider’s link. In case of ClusteXL HA configuration, I have to choose one provider’s link as default gateway, and will have a problem with routing the second public DMZ subnet over the second provider’s link. One solution for this configuration can be use Policy-Based Routing for the second DMZ subnet, but this solution has limitations regarding supports for some features and blades and I would not use it. So two VSs will be quite enough in this case in my opinion.

 

Also, you wrote that “you will rely on external probing to route inbound traffic to DMZs”. Can you give me more explanation about that.

Regards,

Vedran

0 Kudos
Vladimir
Champion
Champion
‎2018-04-20 09:52 AM
In response to Vedran_B

Sure.

Since in your diagram you are making distinctions between Public DMZs, these will not, by themselves be redundant.

I.e. If one of the providers will go down, external hosts will not be able to reach resources located in its corresponding Public DMZ Provider # subnet.

To attain redundancy in less than /24 public services you are looking at dynamically changing their DNS records.

This typically done by your public DNS provider service probing , something like periodic queries to designated targets on designated ports.

When the query fails, the records change to point to alternate IPs.

If you are using multiple ISPs in the fashion you are describing and are supporting P2P VPNs, you'll have to setup multiple tunnels with your peers and convince them to have their applications rely on host names, instead of hard coded IPs.

If your P2P VPN domain contains private networks, you are also will be looking for additional NAT magic and DNS trickery.

0 Kudos
Vedran_B
Participant
‎2018-04-23 12:02 AM
In response to Vladimir

Thank you Vladimir. Your explanations were helpful to me.

0 Kudos
Wolfgang
Authority
Authority
‎2018-04-24 04:25 AM
In response to Vladimir

Dear Vladimir,

ISP redundancy is not a possibility for this configuration, it's not supported on VSX.

You can't probe the two ISP routes, because you can't configure this.

Wolfgang

0 Kudos
Vladimir
Champion
Champion
‎2018-04-24 06:19 AM
In response to Wolfgang

You are correct: VSX supported features on R75.40VS and above 

But I was under the impression that the choice to use VSX vs normal cluster was yours specifically because of what you were trying to accomplish.

0 Kudos
Vladimir
Champion
Champion
‎2018-04-24 02:03 PM

And you may find this useful, if you are going to host servers with ISP redundancy in load sharing mode:

Static NAT fails for outgoing connections through gateway with ISP Redundancy in Load Sharing mode 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top