This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Chinmaya_Naik
Advisor
11 hours ago

Check Point ISP Redundancy - Dynamic Objects (Something Interesting Network)

Network Topology:

ISP Rededundency DYNAMIC OBJECT.jpg

ISP Redundancy : Active/Standby Mode

Source: Host_A IP : 11.201.6.171

              Host_B IP : 11.201.6.172

Destination is XYZ Server IP: 142.250.205.238

ISP-1 NAT Public IP: 116.113.114.25 (From pool)

ISP-2 NAT Public IP: 58.143.112.130 (From Pool)

I created a manual NAT rule for this like below

Outbound Connection we need:

NAT Rule No Original Source Original Destination Original Service Translate Source Translate Destination Translate Service
1 11.201.6.171 142.250.205.238 https 116.113.114.25 Original Original
2 11.201.6.171 142.250.205.238 https 58.143.112.130 Original Original
3 11.201.6.172 142.250.205.238 https 116.113.114.26 Original Original
4 11.201.6.172 142.250.205.238 https 58.143.112.131 Original Original

 

Challenge : If ISP-1 once goes down then NAT Rule No-1 will always hit and its not going to hit the NAT Rule No-2 and my internal system 11.201.6.171 unable to reach the XYZ Server IP: 142.250.205.238.

To resolved this issue We plan to implement Dynamic Object.

Below is our POA

Object Name Comment
DYN_ISP_A ISP 1
DYN_ISP_B ISP 2

 

Object Name Comment
HOST_INTERNAL 11.201.6.171
HOST_INTERNAL1 11.201.6.172

 

Object Name Comment
HOST_VALID_ISP_A 116.113.114.19
HOST_VALID_ISP_B 58.143.112.129

 

Manual NAT Rule:

Original Source Original Destination Original Service Translate Source Translate Destination Translate Service
HOST_INTERNAL DYN_ISP_A https HOST_VALID_ISP_A Original Original
HOST_INTERNAL DYN_ISP_B https HOST_VALID_ISP_B Original Original
HOST_INTERNAL1 DYN_ISP_A https HOST_VALID_ISP_A Original Original
HOST_INTERNAL1 DYN_ISP_B https HOST_VALID_ISP_B Original Original

 

On the Security Gateway / each member of ClusterXL, run the 'cpstop' command.


1. Transfer the cpisp_update file to the both gateways ($FWDIR/bin/ directory) using scp tool.
2. Stop the Standby Member First (cpstop)
When running the commands below, we have to use the exact object name from SmartConsole
(case-sensitive).
[Expert@HostName]# dynamic_objects -n DYN_ISP_A
[Expert@HostName]# dynamic_objects -n DYN_ISP_B
[Expert@HostName]# dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
[Expert@HostName]# dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a

3. Convert the cpisp_update file script to Unix format (dos2unix
$FWDIR/bin/cpisp_update)
4. Make the script executable (chmod +x $FWDIR/bin/cpisp_update)
5. Start the service on Standby Member (cpstart)

Repeat Steps 1-5 on the Other Gateway
We can see which ISP link is up with this command: tail -f /tmp/cpisp_state

File: $FWDIR/bin/cpisp_update : (Refer sk25152)

ISP Red1.png

Add the following configuration to have a Primary/Backup ISP solution (it will allow the Primary ISP to take back control after it is up again):

ISP Red2.png

Challenges Question 1:  We already configured sk32073 (Configuring Cluster Addresses on Different Subnets) and its running on the production so is this going to impact the Dynamic Object implementation?

Challenges Question 2:  We also have a one internal server server communication and that routes towards the external sub-interface eth1-01.x and route is also created and its working fine but if I configured the Dynamic Object rule then I am sure its hit the access control rule and then NAT Rule-1 and the source 11.201.6.171 unable to reach to the Internal Server.

Its complicate and its running on a critical environment so please need all of your assistance will be Great.

Regards

@Chinmaya_Naik   

0 Kudos
2 Replies
the_rock
Legend
Legend
5 hours ago

Hey man,

Since you asked me about this post on zoom remote, I really believe best thing to do is open TAC case, since they may need to provide updated ISPR script. Thats what was given to my colleague and I while back when we had similar issue. Personally, I would be super careful updating this file. Just make sure if you do that you back it up first, so its easy to revert later.

Andy

0 Kudos
CheckPointerXL
Advisor
Advisor
an hour ago

Did you try to use Zones instead?

The fact that we need to use script into a FW for operation like this it sounds ridiculous to me

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events