Hello fellow Checkpointers,
I have two ISPs with a peer on each side providing me a default gateway via BGP. (I also advertise 4 different ranges to them)
Since it's BGP, the documentation is quite clear that "ISP Redundancy does not support dynamic routing protocols" - so using it is out of the question.
I imagined weighting the peers so that ISP1-Peer is preferred over ISP2-Peer.
This means I would be receiving 2 advertisements for 0.0.0.0/0, one from each peer. ISP1-Peer's route would be installed unless it goes down, in which case ISP2-Peers default advertisement would be installed into the routing table.
Then I run into a NAT problem? (For now I'm just trying to NAT behind the gateways real address, not any of my BGP addresses). I'm used to doing manual NAT rules.
I've been doing some reading on how ISP Redundancy does this in sk174197 and sk34812.
In an attempt to recreate this myself, I tried enabling "Automatic Address Translation Rules" for each of my cluster members and selecting "Hide behind gateway".
This installs a machine hide nat rule with:
Orig Src | Orig Dest | Orig Svc | Trans Source | Trans Dest | Trans Service
fw1-obj any any fw1-obj (Hiding Address) Original Original
But when I push policy, policy verification fails with: "Module fw1-obj cannot have a NAT rule installed on 'All', the module cannot translate its own address".
And now I'm fairly confused on how to accomplish this. Would appreciate some guidance from those smarter than I.