I’m in doubt about applying VSX cluster and Virtual Systems (VSs) in case of internet access over two ISP providers. I have two internet links from two different ISP providers and two Public DMZs subnets from every provider. The picture below shows connections between equipment and two providers.
I have a plan to change two firewalls (FW01 and FW02) with two Check Point 5600 appliances configured in Load Sharing (VSLS) VSX cluster. On the cluster two VSs will be configured, one VS for every ISP provider. On each VS OSPF routing protocol will be used for routing to the inside network, and default route on each VS for routing to the internet. Also, on each VS the following blades will be enabled: Firewall, Identity Awareness, Mobile Access, IPS, Application Control, URL Filtering, Anti-Virus, Anti-Bot, Anti-Spam, and Content Awareness. Does anyone has an experience with applying CP in this configuration. Any suggestions are welcome.
Regards,#
I presume that your ISPs given you address space smaller than the /24.
In which case I would suggest looking into ISP Redundancy:
as a possible solution and sandwich another layer 2 switch (or VLANs) between ISPs and the external interfaces of your VSX'.
Running just two VSX units in VSLS is a questionable proposition (in my personal opinion).
Using your design will complicate things for remote clients, as it will require MEP and you will rely on external probing to route inbound traffic to DMZs.
How many other VS' are you expecting to run on this cluster?
Sure.
Since in your diagram you are making distinctions between Public DMZs, these will not, by themselves be redundant.
I.e. If one of the providers will go down, external hosts will not be able to reach resources located in its corresponding Public DMZ Provider # subnet.
To attain redundancy in less than /24 public services you are looking at dynamically changing their DNS records.
This typically done by your public DNS provider service probing , something like periodic queries to designated targets on designated ports.
When the query fails, the records change to point to alternate IPs.
If you are using multiple ISPs in the fashion you are describing and are supporting P2P VPNs, you'll have to setup multiple tunnels with your peers and convince them to have their applications rely on host names, instead of hard coded IPs.
If your P2P VPN domain contains private networks, you are also will be looking for additional NAT magic and DNS trickery.
You are correct: VSX supported features on R75.40VS and above
But I was under the impression that the choice to use VSX vs normal cluster was yours specifically because of what you were trying to accomplish.
| User | Count |
|---|---|
| 27 | |
| 18 | |
| 11 | |
| 9 | |
| 5 | |
| 5 | |
| 5 | |
| 4 | |
| 4 | |
| 3 |
Tue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topThu 07 Nov 2024 @ 05:00 PM (CET)
What's New in CloudGuard - Priorities, Trends and Roadmap InnovationsTue 05 Nov 2024 @ 10:00 AM (CET)
EMEA CM LIVE: 30 Years for the CISSP certification - why it is still on topTue 05 Nov 2024 @ 05:00 PM (CET)
Americas CM LIVE: - 30 Years for the CISSP certification - why it is still on topTue 12 Nov 2024 @ 03:00 PM (AEDT)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (APAC)Tue 12 Nov 2024 @ 10:00 AM (CET)
No Suits, No Ties: From Calm to Chaos: the sudden impact of ransomware and its effects (EMEA)Tue 19 Nov 2024 @ 12:00 PM (MST)
Salt Lake City: Infinity External Risk Management and Harmony SaaSWed 20 Nov 2024 @ 02:00 PM (MST)
Denver South: Infinity External Risk Management and Harmony SaaS
.png "Wolfgang"){kind=avatar}
