This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AkiYa
Contributor
‎2022-05-09 05:58 AM
Jump to solution

How to configure two separated ISP external interfaces

Hi all,

sorry if this question may have been already asked but I can't find a simple answer for this specific question:

how to configure a second external interface, with a second ISP, in order to route the Internet traffic/NAT to one or the other depending on policies?

In my case I have to change the ISP and since I can't just switch it off, I have to start moving some services to the new ISP.
For example make a subnet going to the Internet with the 2nd ISP, move a published service to the new public IPs, etc.

My first attempt was to configure the secondary external cluster interfaces and add the new router's IP in the Gaia's Default route (added to the primary, with priority "none"), but it didn't work.

I know about PBR, but I see that they have critical limitations (no IPS, no URL filtering.. practically unuseful!) 

So, what is the simple solution for using a second ISP, which every other brand supports?

Thanks

 

0 Kudos
1 Solution

Accepted Solutions
Wolfgang
Authority
Authority
‎2022-05-12 12:05 PM
In response to AkiYa
Jump to solution

@AkiYa routes with different metrics are only for failover usage. If route with metric 1 is failing traffic will be routed via route with metric 20. This is independent of NAT.

What is your problematic feature of the limitations of PBR ?

Some limitations needs more explanations like as an example "domain based VPN" will be not supported with PBR. But this does not mean "domain based VPN" can't be used if PBR is configured. You can, but the limitations is you can't route VPN traffic through PBR. VPN traffic will be routed via the VPN domain routing.

We are using PBR with R81.10 coming from R80.40 and are really happy with this. Using it like you'res . Routing subnet A via ISP1 and subnet B via ISP2. You can start implementing a small PBR maybe for only one host, you can see what's happens and check for any problems.

 If you want to switch from one ISP to another with one subnet after another PBR is your solution. If you want to have a redundant switch over and move it one service by another one you can use ISP redundancy in LoadSharing Configuring ISP Redundancy so that certain traffic uses specific ISP Link . You can start with sharing ISP1 with 90% utilization ISP2 10% utilization and switch more over step by step.

Both PBR and ISP redundancy have limitations but you have to choose. I think I understand your need and I think you get a nice solution with PBR. But you have to upgrade to R81.10 to get the best solutions.

PS.: I know some other vendors with better solutions for your now needed specific use case but they have another limitations. That's the way it is every day in the life of an IT guy 😀

View solution in original post

14 Replies
Wolfgang
Authority
Authority
‎2022-05-09 06:35 AM
Jump to solution

@AkiYa ISP redundancy is your needed feature, Start with ISP Redundancy configuration 

0 Kudos
AkiYa
Contributor
‎2022-05-09 06:48 AM
In response to Wolfgang
Jump to solution

@Wolfgang Thank you for your answer, I will give it a look but I've already found lots of answers about the ISP Redundancy which is NOT what I need: I don't need redundancy, I just need to use two separated ISP configuring two Default routes.
Is this supported?

(Now I will check in the link, but it would help me to know it)

Thanks!

Wolfgang
Authority
Authority
‎2022-05-09 06:59 AM
In response to AkiYa
Jump to solution

Yes, you can do this. You can configure more then one gateway for your default route. With priorities you can configure the using of the ISPs. How to configure static routes using different priorities with ping option

With PBR you can control the outgoing route for your source networks, but you have to be carefuully regarding of NAT. With ISP redundancy a lot of NAT stuff will be done automatically by the gateway, with PBR you have to configure manual NAT rules regarding your routing. Maybe for your use case this will be better solution.

AkiYa
Contributor
‎2022-05-09 08:38 AM
In response to Wolfgang
Jump to solution

As I said, what I need is not prioritize the Internet route in a redundancy scenario but decide which host/subnet will use the ISP1 and which host/subnet will use the ISP2.

For what I can see PBR have so many limitations that I can't even understand for what they could be used, so they're not an option.

I installed WatchGuard and they have the SD-WAN feature to configure multiple WANs and easily decide which ISP to use for specific hosts, subnets or services, but I can't see anything similar in CheckPoint.

Wolfgang
Authority
Authority
‎2022-05-09 11:52 AM
In response to AkiYa
Jump to solution

@AkiYa I went over Policy-Based Routing (PBR) on Gaia OS and now I understand your statement.

Some informations in this sk are outdated, a lot of the limitations are solved with R81.xx. Have a look at Policy-Based Routing and Application-Based Routing in Gaia.

PBR will be your solution 😀

I left a note in the  sk100500 to update the limitations.

0 Kudos
_Val_
Admin
Admin
‎2022-05-10 01:00 AM
In response to AkiYa
Jump to solution

Which appliance model do you use with Check Point?

0 Kudos
AkiYa
Contributor
‎2022-05-11 01:46 AM
In response to _Val_
Jump to solution

@_Val_ I'm using two 5600 appliance in clusterXL, R80.40.

For me it's unbelievable that a simple feature like this is still not fully implemented in CheckPoint, but what to do...

0 Kudos
_Val_
Admin
Admin
‎2022-05-11 02:08 AM
In response to AkiYa
Jump to solution

You certainly can configure more than a single external interface on Gaia. What is your challenge, to be able to move services from one ISP to another? Based on what? 

If you are looking for application based routing, then yes, this is a SD-WAN feature, which is currently in EA with R81.20. 

0 Kudos
AkiYa
Contributor
‎2022-05-12 08:16 AM
In response to _Val_
Jump to solution

The challenge is to have 2 external interfaces and use them at the same time, depending on the policies configured: I understand that PBR would be the answer, but in fact it's NOT because of the feature limitations.

Unfortunately I'm not using R81.20 yet, but it's good to know that this SD-WAN feature will be available sooner or later.

Just another question: what if I configure two default routes on Gaia with different metric and then configure specific hide NAT for the subnet I want to move to the second ISP?
Does it make sense?

ex:

(Gaia)
Default route: 1.2.3.4 - metric 1
                          5.6.7.8- metric 20

(Dashboard): LAN_192.168.0.0/24 - hide behind the gateway
                        LAN2_192.168.1.0/24 - hide behind IP address: 5.6.7.9

0 Kudos
Wolfgang
Authority
Authority
‎2022-05-12 12:05 PM
In response to AkiYa
Jump to solution

@AkiYa routes with different metrics are only for failover usage. If route with metric 1 is failing traffic will be routed via route with metric 20. This is independent of NAT.

What is your problematic feature of the limitations of PBR ?

Some limitations needs more explanations like as an example "domain based VPN" will be not supported with PBR. But this does not mean "domain based VPN" can't be used if PBR is configured. You can, but the limitations is you can't route VPN traffic through PBR. VPN traffic will be routed via the VPN domain routing.

We are using PBR with R81.10 coming from R80.40 and are really happy with this. Using it like you'res . Routing subnet A via ISP1 and subnet B via ISP2. You can start implementing a small PBR maybe for only one host, you can see what's happens and check for any problems.

 If you want to switch from one ISP to another with one subnet after another PBR is your solution. If you want to have a redundant switch over and move it one service by another one you can use ISP redundancy in LoadSharing Configuring ISP Redundancy so that certain traffic uses specific ISP Link . You can start with sharing ISP1 with 90% utilization ISP2 10% utilization and switch more over step by step.

Both PBR and ISP redundancy have limitations but you have to choose. I think I understand your need and I think you get a nice solution with PBR. But you have to upgrade to R81.10 to get the best solutions.

PS.: I know some other vendors with better solutions for your now needed specific use case but they have another limitations. That's the way it is every day in the life of an IT guy 😀

AkiYa
Contributor
‎2022-05-13 05:10 AM
In response to Wolfgang
Jump to solution

Thank you for the explanation Wolfgang, so if I move to R81.20 I should have it working as I need, unfortunately in this moment I don't have time to manage the update and I will do it the hard way (switch to the new line with service interruption).

Later I will update the firewalls and give it a try.

0 Kudos
Kryten
Collaborator
‎2022-05-13 07:38 AM
In response to AkiYa
Jump to solution

I too think you could give PBR a try. We have the same situation here (also on R80.40) and for most things it worked well, so at the moment two ISPs are used and we did not have to configure ISP redundancy.
Only Remote Access gave us some headaches, but for this we found other solutions.

ChrisG
Participant
‎2023-03-22 07:52 AM
In response to Kryten
Jump to solution

I have a very similar challenge here, which I currently don't know how best to fulfill:

ClusterXL R80.40 with 450 S2S VPN tunnels

The task is to migrate to a new ISP with a new IP address space on the same gateway. The external VPN partners should only have to change to our new gateway IP, all other settings should be retained.

Now I'm unsure whether this is even possible tunnel by tunnel and which mechanism should be used.

I don't actually need ISP redundancy, but if it can achieve the goal I would of course use it.

I assume that with "Outgoing Route Selection" in the gateway settings and PBR routes, a changeover to the new Internet IP might also be achieved. But will PBR even work with destination routes that enter a S2S VPN tunnel?

Question: Is there anyone who has already mastered this challenge? And how?

Thanks a lot for your ideas

Christian

Chris_Atkinson
Employee Employee
Employee
‎2023-03-23 09:08 AM
In response to ChrisG
Jump to solution

Probably best to create a new thread for better visibility of your question / requirement as different to PBR & ISP redundancy features which has already been marked as solved.

 

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top