This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
michaelyang123
Participant
‎2025-03-05 01:38 AM

About ISP Redundancy monitor

Hello Expert,

 

When I tested ISP Redundancy, I found that it is not compatible with PBR.

Here is structure.

1.PNG


So I changed to use two next hops on the static route, and use priority to divide the primary and the secondary.

2.PNG

I found out that the only way to checkpoint to make sure the route works is to make sure the next hop is viable.

For example, if I turn off Gi0/0 on S3 it switches to the second line for service, but if I turn off Gi0/1 on S3 the checkpoint continues to the first line without switching.

Is there a way to configure the first line to ping the IP of the external network? (transparent monitor)
For example, ping 8.8.8.8 through 30.30.30.30 to make sure that this line can reach the external network.


Thanks

1.PNG
Preview file
35 KB
0 Kudos
8 Replies
_Val_
Admin
Admin
‎2025-03-05 03:51 AM

Before anything else, can you please state the appliance model and SW version in use?

0 Kudos
_Val_
Admin
Admin
‎2025-03-05 04:00 AM

According to sk167135, PBR is not supported with ISP redundancy.

0 Kudos
michaelyang123
Participant
‎2025-03-05 04:08 AM
In response to _Val_

Hi @_Val_ ,

Thanks for your reply.

I know PBR is not supported with ISP redundancy.

So I changed to use two next hops on the static route, and use priority to divide the primary and the secondary.

Is there a way to configure the first line to ping the IP of the external network? (like transparent monitor)
For example, ping 8.8.8.8 through 30.30.30.30 to make sure that this line can reach the external network.

---

All my device models are VE.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-05 07:34 AM
In response to michaelyang123

I believe this will do what you're after: https://support.checkpoint.com/results/sk/sk102848 

0 Kudos
michaelyang123
Participant
‎2025-03-05 07:58 AM
In response to PhoneBoy

Hi @PhoneBoy ,

I didn't use ISP redundancy because it's not compatible with PBR.

---

According to my setup

I thought the setup was to ping 8.8.8.8 via this path (30.30.30.30), but it turns out it is just the device that has to ping 8.8.8.8, regardless of the path!

3.PNG

0 Kudos
PhoneBoy
Admin
Admin
‎2025-03-06 04:12 PM
In response to michaelyang123

This may be a limitation, I would check with TAC.

0 Kudos
DeltaUnit
Explorer
‎2025-03-10 06:17 PM

you only need one default route - the ISP redundancy configuration is done using the smart console - Gateways and servers - open the gateway object - others tab - ISP redundancy. https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityGateway_Guide/Conten...

0 Kudos
michaelyang123
Participant
‎2025-03-10 07:28 PM
In response to DeltaUnit

Hi @DeltaUnit ,

 

Thanks for your reply.

Since I'm going to use PBR, I won't consider using "ISP redundancy" function because it's not compatible.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top