This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hiep_Bui
Participant
‎2018-05-23 07:01 PM
Jump to solution

Redundant ISP on same external interface

Hello,

We have 1 cluster of 2 firewalls. Each has 4 ethernet interfaces which are configured as below:

- Eth1 - Internal (trusted)

- Eth2 - Internet (untrusted)

- Eth3 - Sync (cross connect 2 FW)

- Eth4 - Mgmt

Now we want to add 1 more internet link for redundancy. I'm not sure if we need additional Ethernet port to connect to the 2nd internet link; or can we configure 2nd address on the existing Internet interface (Eth2). I made some searches and found some Checkpoint documents but steps listed there seem to be for 2 different interfaces; 1 interface is also mentioned but I'm not sure if it works in HA setup (2 firewall cluster)

Thanks,

Hiep.

1 Solution

Accepted Solutions
Charris_Lappas
Collaborator
‎2018-05-27 10:13 PM
Jump to solution

You may configure your external interface with VLANs the same behaviour as with any other Interface. Additionally you need to setup in front a VLAN capable switch where both ISP links will be terminated. You need to setup this switch with two VLANs (same IDs as you configured the FW) and assign two tagged ports for each FW and one port for each VLAN for each ISP.  Once you have them configured you need to choose the way of redundancy for your Internet, load balancing or failover.

For higher availability on the switch level you can use two switches where each ISP will terminate to each switch and each FW to  the different switches.

View solution in original post

3 Replies
ED
Advisor
‎2018-05-24 12:32 AM
Jump to solution

Hi,

The simplest solution is with two external interfaces defined, one for each ISP. Since you have a clustered environement, each gateway in the cluster requires a corresponding external link for each ISP as you have today. Your question was to use the same external link for two ISP. In that case you have to have different subnets configured for each ISP on that interface in Gaia . Remove IP-address from eth2 and add two VLANs instead. Will have to have someone to confirm this. 

You probably want to use this redundancy mode:

Primary/Backup: New connections use the primary link as its ISP. In the event of primary link failure, connections switch to the backup link, and any new connections use the backup link as well. Upon recovery of the primary link, any new outgoing connections begin to use it again while the existing connections on the backup link continue to use it until completion.

There are other things to consider when setting up redundant ISP. Follow this link How to configure ISP redundancy

Charris_Lappas
Collaborator
‎2018-05-27 10:13 PM
Jump to solution

You may configure your external interface with VLANs the same behaviour as with any other Interface. Additionally you need to setup in front a VLAN capable switch where both ISP links will be terminated. You need to setup this switch with two VLANs (same IDs as you configured the FW) and assign two tagged ports for each FW and one port for each VLAN for each ISP.  Once you have them configured you need to choose the way of redundancy for your Internet, load balancing or failover.

For higher availability on the switch level you can use two switches where each ISP will terminate to each switch and each FW to  the different switches.

Thomas_Eichelbu
Advisor
Advisor
‎2020-09-15 07:25 AM
In response to Charris_Lappas
Jump to solution

Hello, 

yes i just had the case ...
ISP1 on ETH1 as untagged VLAN , ip directly configured on the physical interface.
ISP2 on ETH1 as tagged VLAN, ip configured on eth1.35 ...

ISP redundancy was NOT working, only the ISP2 on eth1.35 was shown as up ...

then we changed ISP1 to VLAN 10, tagged on eth1.10 

this worked instantly!

so this is "one" of the limitations when untagged and tagged VLAN´s are configured on the same physical inteface!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events