Hi, Everyone

I would like to share the solution to the issue which faced regarding SMB 1590 appliances with 4G as redundant interface.

The issue is:

"If you have 4G redundant interface and Site-to-Site VPN tunnel configured then in case of failover to 4G interface and fail-back to the main WAN interface, all the connections will be migrated back to the main WAN interface except VPN connection which will continue working through 4G interface thus producing additional costs from 4G operator"

Check point has confirmed that it is an expected behaviour so we had to search for a workaround.

Solution:

1. First I prepared the bash script to check messages log for an event of WAN connection is up again and based on that restart 4G interface to failover 4G connection back to the primary ISP (also attached):

#!/bin/bash -f
source /pfrm2.0/opt/fw1/conf/.CPprofile.sh

# Get the current timestamp
current_timestamp=$(date +%s)

# Subtract 1 minutes (60 seconds) from the current timestamp
timestamp_1min_before=$((current_timestamp - 60))

# Convert the timestamp to the desired format
time_1min_before=$(date -d "@$timestamp_1min_before" +"%Y %b %d %H:%M:%S")

# Path to the log file
log_file="/var/log/messages"

# Pattern to search in the log file
search_pattern="Internet connection \"Internet1\" is active now"

# Iterate through the lines of the log file
while read -r line; do
    # Extract and format the timestamp from the line
    line_year=$(echo "$line" | awk '{print $1}')
    line_month=$(echo "$line" | awk '{print $2}')
    line_day=$(echo "$line" | awk '{print $3}')
    line_time=$(echo "$line" | awk '{print $4}')
    if [ "${#line_day}" -eq 1 ]; then
       line_day="0${line_day}"
    fi
    time_line="$line_year $line_month $line_day $line_time"

    # Check if the line timestamp is within the last 1 minutes
    if [[ "$time_line" > "$time_1min_before" ]]; then
        # Check if the line contains the search pattern
        if [[ "$line" == *"$search_pattern"* ]]; then
            # Run the clish command
            ifconfig cell0 down
            ifconfig cell0 up   
            break
        fi
    fi
done < "$log_file"

 2. Then I configured cron job to run script every minute:

1. Login to Winscp
2. Open the new session with the SMB firewall.
3. Upload the file 4G_Script.sh to path /usr/bin/
4. Login to SMB Firewall using SSH.
5. Go to Expert mode.
6. Go to Path /usr/bin/
7. Change the permissions of the file using the command below.

chmod u+x 4G_Script.sh

1. Run the below command.

crontab -e

1.    Add the new line to run the 4G Script as below,

*/1 * * * * /usr/bin/4G-Script.sh

1.  Save the file.

This workaround ensures that Site-toSite VPN tunnel will failover to the primary ISP in no more than a minute after primary ISP become active.

Hope this helps!