Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heather_Lewis
Participant

Dynamic objects in ISP Redundancy R80.30

How stable are dynamic objects in R80.30?  We need to do ISP redundancy and, while we could use automatic hide NAT, we would need a separate hide NAT for internal and guest segments so we can't use the "hide behind gateway" option.  We opened a TAC case in March were told that dynamic objects were the only way to achieve this.  sk25152 was provided which we've used in previous versions, with less than reliable results.
0 Kudos
5 Replies
PhoneBoy
Admin
Admin

Dynamic Objects in general should be much more stable in R80.x.
Can you describe some of the issues you've had in the past?
0 Kudos
Heather_Lewis
Participant

The problem that we’ve experienced at times is that $FWDIR/bin/cpisp_update sets both ISP's dynamic-objects set to 0.0.0.0 0.0.0.0, making none of the dynamic objects active in NAT rules. This happened multiple times, to the extent that we had to provide the client instructions on how to re-run the script. Since then we only use the "hide behind the gateway" option to avoid using explicit dynamic object. Now that we need to use different PAT addresses for guest, we opened a case for updates, but we were told the ISP redundancy hasn't changed much. TAC recommended the 'hide behind the gateway' option which can't be used in this case. Also, the Check Point ISP redundancy manual doesn't mention dynamic objects, so we were wondering whether dynamic object is not recommended. We asked TAC at the time whether there was any plan to implement NAT bound to the interface instead of globally, but were told that there was no such plan.
0 Kudos
PhoneBoy
Admin
Admin

Some use cases of ISP Redundancy require the use of Dynamic Objects.
Sounds like an issue with the script that updates them, but most likely that'd require some troubleshooting to confirm.
0 Kudos
FedericoMeiners
Advisor

Heather

In R80.30 you can set up Multi Hop PBRs which is another way to perform ISP Redundancy. I have tested it in my lab and it worked fine.

If I remember correctly Automatic NAT should be set up as "Hide behind this gateway"

You can find instructions on the Advance Routing guide for R80.30

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_Gaia_Advanced_Routing_AdminG...

multi hop.png

Hope it helps,

____________
https://www.linkedin.com/in/federicomeiners/
Heather_Lewis
Participant

If 'hide behind the gateway' is a requirement, it wouldn't help much. Unfortunately we need to use a different hidenat for guest.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events