This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hemant_Mathur
Participant
‎2021-09-28 09:46 PM

Checkpoint Cluster configuration with Multiple ISPs

I am planning to install Cluster on 2 number of 15400s. Presently the OS is on R81. 

We have 3 ISPs who are used for NATing various Services and Servers  in our Data Center. 

I have never done this. I am confused on how would the public IPs from the ISP work on both the Cluster nodes. 

Would appricate any help from the experts in the Checkpoint community. 

I need to configure the Firewall in Load sharing mode. We are also using site to site IPSec VPN and remote access IPSec VPN. 

 

 

 

Labels
9 Replies
_Val_
Admin
Admin
‎2021-09-29 01:15 AM

Start with sk34812

Hemant_Mathur
Participant
‎2021-10-01 04:43 AM
In response to _Val_

Thanks for the help. 

I would be making cluster with 2 Firewalls. My confusion is with the Incoming traffic.

Presently we are using almost 40 Public IPs from 3 different ISPs. Public IPs are confgured on the physical external Interface of the Firewall.

Where would be the Public IPs configured when in Cluster config? 

I mean how would the all public IPs would be routed from from 1 Firewall to another when a Checkpoint device fails ?

I am not able to understand it.

 

0 Kudos
HristoGrigorov
Mentor
Mentor
‎2021-10-01 04:52 AM
In response to Hemant_Mathur

This is covered in ClusterXL Admin Guide in chapter ISP Redundancy / Incoming Connections.

Hemant_Mathur
Participant
‎2021-10-01 05:05 AM
In response to HristoGrigorov

Thanks for the prompt reply. It helped me a lot.

I have one more query. 

In Cluster mode do I define the Public IPs on the virtual Interface or the physical interface ?

 

HristoGrigorov
Mentor
Mentor
‎2021-10-01 05:12 AM
In response to Hemant_Mathur

Use virtual IP. Cluster will take care to route it to right member(s).

0 Kudos
Hemant_Mathur
Participant
‎2021-10-01 05:18 AM
In response to HristoGrigorov

OK. Thanks. 

In that case I would deploy the Public IPs (e.g. 40 IPs on the 40 different Virtual IPs) and configure Local private IPs on the phyical interface. The subnets of the Local private IPs can be 192.168.100.x on both Checkpoint nodes.

Do I need to do any specific routing to deliver the traffic for incoming traffic from external internet ? To get the traffic to the internal application, which was earlier directly NAT to public IP on single Checkpoint device.

 

0 Kudos
RS_Daniel
Advisor
‎2021-10-01 06:23 AM
In response to Hemant_Mathur

Hello,

You do not need to assign the 40 public IP's to different Virtual IPs. You only need to configure three interfaces, one for each ISP and each one will have with it's own Virtual IP, these IP addresses will be used to NAT the traffic from internal hosts to Internet (hide NAT). I guess your 40 public IPs are used to public services, i mean your mail server, dns server etc. For these cases you only need to create static NAT's using the Public IP address for each case. If you use manual static NAT you also need to creat specific ARP entries on each member to answer arp requests for those public IPs which are not configured as Virtual IP or in the firewall itself. If you use automatic static NAT the arp entries are created automatically. HTH.

Regards

Hemant_Mathur
Participant
‎2021-10-03 10:48 PM
In response to RS_Daniel

Thanks for the explaination. 

From the above inputs, my understanding is now as under.

Will use 3 Public IPs as VIPs (one each for each ISP). The physical interfaces of the each cluster members would have private IPs. Static manual NAT would help us accept the traffic from virtual IPs and deliver to the internal applications using the physical interfaces with private IPs. 

Kindly confirm if the above understanding is correct. 

 

 

 

0 Kudos
RS_Daniel
Advisor
‎2021-10-04 07:08 AM
In response to Hemant_Mathur

Hello,

"Will use 3 Public IPs as VIPs (one each for each ISP)." --> YES

"The physical interfaces of the each cluster members would have private IPs." --> Physical interfaces can have public IP addresses too, you would use three public IP's for each ISP, one for each member + Virtual IP. According to R80.40 ClusterXL admin guide a mix of Static NAT and physical interfaces with private IPs should work too, but it is mandatory to create proxy arp entries manually. Check  Limitations of Cluster Addresses on Different Subnets.

"Static manual NAT would help us accept the traffic from virtual IPs and deliver to the internal applications using the physical interfaces with private IPs." --> NO. Static NAT only serves to translate destination IP in this case, you will also need to create firewall rules to accept the traffic, origin any destination public IP action allow.

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top