Dear friends,
We are currently working on a project with the following topology:
We are migrating from a Fortigate HA cluster to a Check Point HA cluster.
Based on the topology above, I have a few questions.
Firstly, this client has some applications published and uses AWS DNS (Route 53) to resolve public addresses. When these requests reach the firewall, NAT is performed to the internal IP of the Web Server, allowing internet users to access the application/website.
These applications are published with the IPs of the two ISPs, each ISP providing a /28 subnet for the client. We noticed that the AWS DNS load balances the requests, resolving to either ISP's IP at different times.
This raised a concern about routing asymmetry on the return path of these packets. For instance, if an internet user accesses the application and the DNS resolves to ISP1's IP, which is configured on VIP of VLAN 8 on eth8 (eth8.8), then the packet arrives at the firewall, is forwarded to the application based on the NAT rule, and upon returning, how can I ensure it will be sent back via the eth8.8 interface where it was received? Would ISP Redundancy address this? If so, should it be configured for Load Sharing?
Please note that I cannot have a route with higher priority because due to the DNS load balancing, we cannot know through which ISP the user's packet will arrive. Thus, the firewall must be capable of receiving packets through any interface and respond via the correct interface.
Another issue we have with this client, as you can see, the IP addresses of the physical interfaces on this appliance are not in the same subnet as the VIP. This is because the client has no more available public IPs, so I had to apply the procedure according to the ClusterXL R81.10 Administration Guide . Could this difference between the interface and VIP subnets be a problem for the described scenario?
I would be grateful for any tips or help in this case.
Thank you all in advance!