This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wing_Chow
Participant
‎2019-09-26 11:16 PM

Check Point BGP ecmp load balancing with NAT Zone policy in R80.40??

Hi All, 

I'd like to know if this features will be available in R80.40, because i have been tested my needs in my infrastructure and i cannot work with this.

Please helps for customers, because like Palo Alto Networks working very well.

I always prefer Check Point and i am very disappointment that Check Point do not have this features.

Any information, please let me know if in R80.40 will include that. And also if Check Point will add a load balancer add-on in Software Blades will be the greatest ever NGFW.

Regards,

0 Kudos
5 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-09-27 03:45 AM

Hi
Can you please describe the use case scenario further?

Check Point already supports:
- NAT*
- Zone based policy (sk128572)
- BGP ECMP (sk100504)

 

Whilst "zone" objects can't currently be used in the NAT policy there are alternatives that may apply.

CCSM R77/R80/ELITE
0 Kudos
Wing_Chow
Participant
‎2019-09-27 10:01 AM
In response to Chris_Atkinson

Hi ,

This is my scenario:

Topology of BGP Check Point.png

I have been configuring the best way to BGP ECMP Load Balancing (It is working at least with the same Weight of Route) but in my case the NAT for both 186.100.120.33 and 165.100.120.33 that i was published in the AS 30 and AS 20, i need to Load Balance the Manual NAT configured for those App Server.

I've tried the script for outbound NAT in ISP Load Sharing with Dynamic Objects (SK). (This is not my scenario because i am not using ISP Interfaces Load Balancing, in my case the Load Balancing is for BGP with ECMP and i need a NAT Zone for Load Balancing changing Dynamic source for Outbound Traffic).

# Verify which link is up with this command: tail -f /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state
echo "RESTARTING SCRIPT" >> /tmp/cpisp_state
echo "LINK1" >> /tmp/cpisp_state
echo $LINK1_STATE >> /tmp/cpisp_state
echo "LINK2" >> /tmp/cpisp_state
echo $LINK2_STATE >> /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo " " >> /tmp/cpisp_state
# Check if the Link is up or down
if ($LINK2_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 0.0.0.0 -a
endif
if ($LINK1_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 0.0.0.0 -a
endif
# if both Links are up, return to Load Sharing
if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
endif

The questions is what can i do to have the same of similar performance as Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Any information for this feature or similar performance please let me know.

Regards,

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-27 08:27 AM

The features planned for R80.40 are listed in the EA announcement: https://community.checkpoint.com/t5/General-Topics/R80-40-Early-Availability-Program-Check-Point-Upd...
As far as I know, NAT using Zones is not planned for R80.40.
Understanding your exact use case would be helpful.
0 Kudos
Wing_Chow
Participant
‎2019-09-27 10:03 AM
In response to PhoneBoy

Hi  

Topology of BGP Check Point.png

I have been configuring the best way to BGP ECMP Load Balancing (It is working at least with the same Weight of Route) but in my case the NAT for both 186.100.120.33 and 165.100.120.33 that i was published in the AS 30 and AS 20, i need to Load Balance the Manual NAT configured for those App Server.

I've tried the script for outbound NAT in ISP Load Sharing with Dynamic Objects (SK). (This is not my scenario because i am not using ISP Interfaces Load Balancing, in my case the Load Balancing is for BGP with ECMP and i need a NAT Zone for Load Balancing changing Dynamic source for Outbound Traffic).

# Verify which link is up with this command: tail -f /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state
echo "RESTARTING SCRIPT" >> /tmp/cpisp_state
echo "LINK1" >> /tmp/cpisp_state
echo $LINK1_STATE >> /tmp/cpisp_state
echo "LINK2" >> /tmp/cpisp_state
echo $LINK2_STATE >> /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo " " >> /tmp/cpisp_state
# Check if the Link is up or down
if ($LINK2_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 0.0.0.0 -a
endif
if ($LINK1_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 0.0.0.0 -a
endif
# if both Links are up, return to Load Sharing
if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
endif

The questions is what can i do to have the same of similar performance as Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Any information for this feature or similar performance please let me know.

Regards,

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2019-09-28 01:22 AM
In response to Wing_Chow

Thanks I understand why without additional routers or ISP independent address space to improve the design that this is a challenge for you.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events