Hi Dameon ,

I have followed your instruction but not sure about default gateway and static NAT . Also, I am confused about the ISP redundancy faileover , The faileover will happen in the same Firewall or faileover to standby firewall ?

Default Gateway :

For each member what default gateway should configure? (ClusterXL mode) 

NAT :

For static NAT to a web server ( static NAT to one of the IP of /28 NOT firewall IP ) do I need to create alias for each IP address and assign to Firewall external address ?

How should I configure static NAT for clusterxl in ISP redundancy ?

Thanks in advance for your help .

ISP Redundancy is local to the specific gateway.

In a cluster it should be configured on both members. 

The default route should be your primary ISPs next hop IP (again, configured on both members).

For NAT, you do not need to create that static IP as an alias, you merely need to make a rule in the NAT rulebase.

You can have multiple public IPs (for the different ISP links) for your webserver.

This specific example is covered in the documentation: How To Configure ISP Redundancy

Thanks for your reply .

if Default gateway configured as primary and primary Internet failed how firewall will handle the secondary ISP route ? 

(in cluster object I have enabled the USO redundancy as primary/backup mode with next hop IP address but not sure I have to add default gateway or not in gui static route or not )

Also,The static NAT to my web server is not working without creating an aliases !!!!

Basically you treat each VLAN as if it were a physical interface.

This means:

• In Gaia, after adding the relevant VLANs to eth1, configure the networking for each VLAN as appropriate.
  • Note it's generally not best practice for the physical (non VLAN) interface to have an IP once you start using VLANs on a given physical interface.
• In SmartConsole, gateway and cluster objects, you will see each VLAN show up as an independent interface when you do a Get Topology. Configure each VLAN as appropriate. Ensure each VLAN has a cluster IP.

Note also about the following limitation when using VLANs with ClusterXL: Monitoring of VLAN interfaces in ClusterXL 

Thanks for answer. This is my topology. i need configure trunk in checkpoint. below is what i did. 

1. Assign VLAN on both checkpoint eth1. 

2. Put default gateway to ISP 1.1.1.4

3. did Get topology and configured network to external in eth1. 

4. WG is watchguard firewall. 

  problem is: could not ping from Checkpoint to WG and ISP. 

is my topology correct for this cluster? 

A VLAN trunk only works if both ends are configured the same way.

If you plug the WatchGuard interface with a Trunk into a switch port, then that switch port must:

• Support VLANs
• Be configured as a trunk with the same VLANs as the WatchGuard

Same with both Check Point devices, both on the WatchGuard side of things and on the Cisco side of things.

Also, on the gateway topology, the interface that should be marked as external is eth1.10 (the VLAN interface) not eth1 (the physical one).

On a separate note, load sharing configurations (while supported) are generally not advised.

If the cluster members exceed 50% utilization and one node fails, the other member will become overloaded (which may cause a complete outage). 

thanks for answer. I understood from your answer that trunk port is work.  maybe i missed some configuration . can you say me some check list configuration for this  topology ? can you give phone number ? i have a some question cluster in checkpoint R80.10 ? is it possible ?