This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
vergil901
Explorer
‎2023-10-25 07:40 AM

Dual ISP redundancy with auto-nat

Hi all,

 

I am going to deploy ISP redundancy. My setup is, I have 1 cluster with 2 firewalls, on each FW I have extended both ISP1 and ISP2. My goal is two run ISP1 as primary and ISP2 and secondary ISP. I have some queries regarding setting up ISP redundancy, can some one help and respond on these?

1) Currently I only have 1 default route on my physical each FWs towards ISP1 gateway. Do I need to add another default route on each FW towards gateway of ISP2 with higher metric? Or Checkpoint manager will handle all routing as well through ISP redundancy setup once we provide gateways & pull tracking on 8.8.8.8 etc via isp redundancy tabs? Or no, we will have to put secondary default routes on firewalls?

 

2) I have complex NAT setup. For example I have 10 source networks that needs outbound internet access whether on ISP1 or in failover time via ISP2. All 10 source network objects are set to create "auto-NAT" so I already have all auto-nat in place. But at least 5 of the source network objects are set to "Hide behind gateway" and half are set to "hide behind IP x.x.x.x/32". So I am assuming for objects those are translating into "hide behind gateway" will work fine with ISP redundancy right? Because in normal scenario they will get Natted into ISP1 cluster outside IP and in failover they will NAT into clusters ISP2 outside IP?

But what to do with the source object groups that are configured with "hide behind IP"? For these 5 objects, they have 3 different static IPs assigned for example 2 source network objects are using 1.1.1.2 from ISP1 ISP pool, 2 are using 1.1.1.3 from isp pool and 1 is using 1.1.1.4 from isp pool. My goal is that these should failover also when I bring ISP1 down, and should use similar unique IPs from ISP2 for example 2.2.2.2, 2.2.2.3 and 2.2.2.4 for outgoing traffic.

 

Please have above both points addressed.

 

Thanks,

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2023-10-25 08:56 PM

When dealing with ISP Redundancy and NAT, see: https://support.checkpoint.com/results/sk/sk25152

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events