This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jerlin
Explorer
‎2020-05-14 10:16 PM
Jump to solution

Configure two public IP with ClusterXL

We are running GAIA 77.30 with two FW's which is configured in cluster and act as a active - standby mode. We are having two ISPs connected with firewall through our internet routers which is managed by us. Both ISP's provided public /30 subnet which is used to connect ISP's to our routers. Also they provided public /29 subnet for our internal use. Firewall connections described below

  • Eth1 on both FW connected to ISP1 with cluster IP say AA.AA.AA.01/29 (Public IP)
  • Eth2 on both FW connected to ISP2 with cluster IP say BB.BB.BB.01/29 (Public IP)
  • Eth3 on both FW connected to DMZ with cluster IP 17.16.10.1/24
  • Eth2 on both FW connected to LAN segment with cluster IP 17.16.11.1/24
  • Eth4 on both FW connected between firewall's for SYNC.

ISP1's LAN public IP is almost used and they have provided new different public IP subnet (say dd.dd.dd.0/29) to use further. Please guide me how to configure the same. Network diagram is given below.

FW.jpg

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-05-16 03:26 PM
In response to Jerlin
Jump to solution

If you're going to use this new subnet for NAT purposes only, no specific routes are required on the gateway.
This assumes the upstream router is configured to send that subnet to your gateways.

View solution in original post

0 Kudos
4 Replies
_Val_
Admin
Admin
‎2020-05-15 03:30 AM
Jump to solution

What you are looking for is called "ISP redundancy".

 

Start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut..., there are further references in the SK 

0 Kudos
Jerlin
Explorer
‎2020-05-15 09:12 AM
In response to _Val_
Jump to solution

No, I'm not talking about ISP redundancy. We have already configured it and its working fine. 

As we are using two ISP's, ISP1's LAN public ip pool is exhausted. So they provided new set of public ip pool (Example dd.dd.dd.0/29). I have a doubt about how to add the new IP pool to our existing network and make use of NATing for internal servers.

 I have configured new public IP pool like below.

  • In firewall added static route for new public lan pool pointing towards router interface IP like below.

              "set static-route dd.dd.dd.0/29 nexthop gateway address AA.AA.AA.02 priority 1 on"

  • Added reverse route in ISP1's router for dd.dd.dd.0/29 pointing towards firewalls cluster IP AA.AA.AA.01.

This configuration working fine and NATing also working fine. I have a doubt whether this configuration is enough or any other better option. Please suggest.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-05-16 03:26 PM
In response to Jerlin
Jump to solution

If you're going to use this new subnet for NAT purposes only, no specific routes are required on the gateway.
This assumes the upstream router is configured to send that subnet to your gateways.
0 Kudos
Jerlin
Explorer
‎2020-05-16 08:32 PM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

Thanks for answering my query. So my configuration is correct and I'm continuing the same configuration.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events