This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Soroosh
Explorer
a month ago

SMB Gateway with a WAN Connection but 2 Default Gateways

Hi mates,

I recently had a case with one WAN connection and one IP address, but two default gateways for HA on a 1535 gateway.
I need to configure the gateway so that, if the primary default gateway fails, it automatically sends traffic to the secondary default gateway. This will ensure redundancy for the internet connection.

My problem is that I don't know how to do it.
First, it is not possible to define two default gateways for a WAN connection.
2. It is not possible to prevent the gateway from creating the default gateway automatically, even with the "Route traffic through this connection by default" option disabled under ISP redundancy in the advanced tab of the internet connection settings.
3. It seems that I have to create two default routes, but, as I described in the last point, I cannot create the primary default route because the gateway created it automatically, and it is not editable. Also, the secondary route that I created stays inactive.
4. According to this scenario, connection monitoring should be deactivated (apparently) and monitoring should be set on the route. However, this is also not possible for the automatically created default route, and the secondary default route that I created returned an error: "Could not set static route: The next-hop IP address of the monitored route must be on the local LAN subnet." For monitoring VPN or GRE tunnels, select them in the virtual tunnel's hop field." It doesn't matter if I set the IP address of the standard gateway of the ISP or any other IP address, such as a Google DNS IP address.

What could be the solution in this case?

Thanks in Advance
Regards
Soroosh

Preview file
17 KB
Preview file
22 KB
Preview file
22 KB
Preview file
29 KB
0 Kudos
6 Replies
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a month ago

Could you please share the firmware version/build used and perhaps a diagram including the relevant IP addresses / netmask details?

CCSM R77/R80/ELITE
0 Kudos
Soroosh
Explorer
4 weeks ago
In response to Chris_Atkinson

Firmware vewrsion is RR81.10.17_996004721
I have attached the diagram. I'm not sure if I am allowed to expose the IP addresses, so I have replaced the first three octets with x, and yes, it is /24. 🙂

Preview file
23 KB
0 Kudos
PhoneBoy
Admin
Admin
a month ago

You can't monitor an external IP, only an IP on the same subnet as the WAN.
That usually means the WAN's default route.

Soroosh
Explorer
4 weeks ago
In response to PhoneBoy

The problem is that it doesn't accept the IP address of the default gateway either. It shows the same error. Also, I cannot modify/delete/deactivate the automatically created default route.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
4 weeks ago

I would agree with what Phoneboy had said, but, if you want to be sure, you can double check with TAC.

Andy

Best,
Andy
Soroosh
Explorer
a week ago
In response to the_rock

TAC Answer:
1. System-Defined Routes Are Not Editable
"You cannot edit, delete, enable, and disable routes created by the operating system for directly attached networks or by dynamic routing protocols."

https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Centrally_Managed/EN/Content/Topics/Co...

2. Default Route Failover Is Tied to Interface Status
If the WAN interface goes down, the default route becomes inactive, and traffic is routed according to other active routes.
The system does not support two default gateways for a single WAN interface.

3. ISP Redundancy Feature
Designed for multiple WAN interfaces (e.g., WAN1, WAN2), not for two gateways on one interface.
"Route traffic through this connection by default" only applies to the selected WAN interface.

4. Static Route Monitoring Limitations
Monitored static routes require the next-hop to be on a local subnet.
You cannot use an external IP as the next-hop for route monitoring.

5. Cluster/HA Solutions
True HA with automatic failover between gateways is supported via cluster configuration (ClusterXL or Quantum Spark cluster), but this requires two appliances and typically two WAN interfaces.
 
Please check admin guide to configure High Availability:
https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf...

ISP Redundancy:
https://sc1.checkpoint.com/documents/SMB_R81.10.X/AdminGuides_Locally_Managed/EN/Content/Topics/Conf... ​​​​​​​

So, I had to set 2 IPs on the WAN Port, and sat the Primary DG for one and the secondary for another.
with this method I could find a solution for this case. And it seems it works.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events