Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hemant_Mathur
Participant

Checkpoint Cluster configuration with Multiple ISPs

I am planning to install Cluster on 2 number of 15400s. Presently the OS is on R81. 

We have 3 ISPs who are used for NATing various Services and Servers  in our Data Center. 

I have never done this. I am confused on how would the public IPs from the ISP work on both the Cluster nodes. 

Would appricate any help from the experts in the Checkpoint community. 

I need to configure the Firewall in Load sharing mode. We are also using site to site IPSec VPN and remote access IPSec VPN. 

 

 

 

9 Replies
_Val_
Admin
Admin

Start with sk34812

Hemant_Mathur
Participant

Thanks for the help. 

I would be making cluster with 2 Firewalls. My confusion is with the Incoming traffic.

Presently we are using almost 40 Public IPs from 3 different ISPs. Public IPs are confgured on the physical external Interface of the Firewall.

Where would be the Public IPs configured when in Cluster config? 

I mean how would the all public IPs would be routed from from 1 Firewall to another when a Checkpoint device fails ?

I am not able to understand it.

 

0 Kudos

This is covered in ClusterXL Admin Guide in chapter ISP Redundancy / Incoming Connections.

Hemant_Mathur
Participant

Thanks for the prompt reply. It helped me a lot.

I have one more query. 

In Cluster mode do I define the Public IPs on the virtual Interface or the physical interface ?

 

Use virtual IP. Cluster will take care to route it to right member(s).

0 Kudos
Hemant_Mathur
Participant

OK. Thanks. 

In that case I would deploy the Public IPs (e.g. 40 IPs on the 40 different Virtual IPs) and configure Local private IPs on the phyical interface. The subnets of the Local private IPs can be 192.168.100.x on both Checkpoint nodes.

Do I need to do any specific routing to deliver the traffic for incoming traffic from external internet ? To get the traffic to the internal application, which was earlier directly NAT to public IP on single Checkpoint device.

 

0 Kudos
RS_Daniel
Advisor

Hello,

You do not need to assign the 40 public IP's to different Virtual IPs. You only need to configure three interfaces, one for each ISP and each one will have with it's own Virtual IP, these IP addresses will be used to NAT the traffic from internal hosts to Internet (hide NAT). I guess your 40 public IPs are used to public services, i mean your mail server, dns server etc. For these cases you only need to create static NAT's using the Public IP address for each case. If you use manual static NAT you also need to creat specific ARP entries on each member to answer arp requests for those public IPs which are not configured as Virtual IP or in the firewall itself. If you use automatic static NAT the arp entries are created automatically. HTH.

Regards

Hemant_Mathur
Participant

Thanks for the explaination. 

From the above inputs, my understanding is now as under.

Will use 3 Public IPs as VIPs (one each for each ISP). The physical interfaces of the each cluster members would have private IPs. Static manual NAT would help us accept the traffic from virtual IPs and deliver to the internal applications using the physical interfaces with private IPs. 

Kindly confirm if the above understanding is correct. 

 

 

 

0 Kudos
RS_Daniel
Advisor

Hello,

"Will use 3 Public IPs as VIPs (one each for each ISP)." --> YES

"The physical interfaces of the each cluster members would have private IPs." --> Physical interfaces can have public IP addresses too, you would use three public IP's for each ISP, one for each member + Virtual IP. According to R80.40 ClusterXL admin guide a mix of Static NAT and physical interfaces with private IPs should work too, but it is mandatory to create proxy arp entries manually. Check  Limitations of Cluster Addresses on Different Subnets.

"Static manual NAT would help us accept the traffic from virtual IPs and deliver to the internal applications using the physical interfaces with private IPs." --> NO. Static NAT only serves to translate destination IP in this case, you will also need to create firewall rules to accept the traffic, origin any destination public IP action allow.

Regards

0 Kudos