Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wing_Chow
Participant

Check Point BGP ecmp load balancing with NAT Zone policy in R80.40??

Hi All, 

I'd like to know if this features will be available in R80.40, because i have been tested my needs in my infrastructure and i cannot work with this.

Please helps for customers, because like Palo Alto Networks working very well.

I always prefer Check Point and i am very disappointment that Check Point do not have this features.

Any information, please let me know if in R80.40 will include that. And also if Check Point will add a load balancer add-on in Software Blades will be the greatest ever NGFW.

Regards,

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

Hi
Can you please describe the use case scenario further?

Check Point already supports:
- NAT*
- Zone based policy (sk128572)
- BGP ECMP (sk100504)

 

Whilst "zone" objects can't currently be used in the NAT policy there are alternatives that may apply.

CCSM R77/R80/ELITE
0 Kudos
Wing_Chow
Participant

Hi ,

This is my scenario:

Topology of BGP Check Point.png

I have been configuring the best way to BGP ECMP Load Balancing (It is working at least with the same Weight of Route) but in my case the NAT for both 186.100.120.33 and 165.100.120.33 that i was published in the AS 30 and AS 20, i need to Load Balance the Manual NAT configured for those App Server.

I've tried the script for outbound NAT in ISP Load Sharing with Dynamic Objects (SK). (This is not my scenario because i am not using ISP Interfaces Load Balancing, in my case the Load Balancing is for BGP with ECMP and i need a NAT Zone for Load Balancing changing Dynamic source for Outbound Traffic).

# Verify which link is up with this command: tail -f /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state
echo "RESTARTING SCRIPT" >> /tmp/cpisp_state
echo "LINK1" >> /tmp/cpisp_state
echo $LINK1_STATE >> /tmp/cpisp_state
echo "LINK2" >> /tmp/cpisp_state
echo $LINK2_STATE >> /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo " " >> /tmp/cpisp_state
# Check if the Link is up or down
if ($LINK2_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 0.0.0.0 -a
endif
if ($LINK1_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 0.0.0.0 -a
endif
# if both Links are up, return to Load Sharing
if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
endif

The questions is what can i do to have the same of similar performance as Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Any information for this feature or similar performance please let me know.

Regards,

0 Kudos
PhoneBoy
Admin
Admin

The features planned for R80.40 are listed in the EA announcement: https://community.checkpoint.com/t5/General-Topics/R80-40-Early-Availability-Program-Check-Point-Upd...
As far as I know, NAT using Zones is not planned for R80.40.
Understanding your exact use case would be helpful.
0 Kudos
Wing_Chow
Participant

Hi  

Topology of BGP Check Point.png

I have been configuring the best way to BGP ECMP Load Balancing (It is working at least with the same Weight of Route) but in my case the NAT for both 186.100.120.33 and 165.100.120.33 that i was published in the AS 30 and AS 20, i need to Load Balance the Manual NAT configured for those App Server.

I've tried the script for outbound NAT in ISP Load Sharing with Dynamic Objects (SK). (This is not my scenario because i am not using ISP Interfaces Load Balancing, in my case the Load Balancing is for BGP with ECMP and i need a NAT Zone for Load Balancing changing Dynamic source for Outbound Traffic).

# Verify which link is up with this command: tail -f /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state
echo "RESTARTING SCRIPT" >> /tmp/cpisp_state
echo "LINK1" >> /tmp/cpisp_state
echo $LINK1_STATE >> /tmp/cpisp_state
echo "LINK2" >> /tmp/cpisp_state
echo $LINK2_STATE >> /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo " " >> /tmp/cpisp_state
# Check if the Link is up or down
if ($LINK2_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 0.0.0.0 -a
endif
if ($LINK1_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 0.0.0.0 -a
endif
# if both Links are up, return to Load Sharing
if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP1 -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP2 -r 0.0.0.0 255.255.255.255 -a
endif

The questions is what can i do to have the same of similar performance as Palo Alto Networks:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF8CAK

Any information for this feature or similar performance please let me know.

Regards,

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Thanks I understand why without additional routers or ISP independent address space to improve the design that this is a challenge for you.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events