This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DominusRex23
Participant
‎2025-11-04 07:17 AM

ISP Redundancy: LAN via ISP‑1, WLAN via ISP‑2

Hi CheckMates,

I’m exploring a design where a Check Point gateway connects to two ISPs. The client’s requirement is:

  • LAN subnets should use ISP‑1 by default
  • WLAN subnets should use ISP‑2 by default
  • Both ISPs should be active simultaneously (Load Sharing, not HA)
  • If either ISP fails, traffic from both LAN and WLAN should fail over to the surviving ISP automatically

From my understanding, this would involve:

  • Enabling ISP Redundancy in Load Sharing mode to handle health monitoring and failover
  • Using NAT rules so each subnet hides behind its “preferred” ISP’s external IP, but can also fall back to the other ISP if needed
  • Optionally applying Policy‑Based Routing (PBR) to bias LAN traffic toward ISP‑1 and WLAN traffic toward ISP‑2 under normal conditions

Where I’m unsure:

  • Will NAT rules really switch cleanly during failover, or could I run into asymmetric routing?
  • Does PBR play nicely with ISP Redundancy, or could it “stick” to a dead ISP?

Has anyone here implemented something like this? I’d love to hear if this approach is solid, or if there’s a better way to achieve subnet‑specific ISP preference with automatic failover and zero human intervention.

 

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2025-11-04 07:28 AM

The fact you're talking about LAN/WLAN means you're discussing SMB appliances.
Generally ISPR and PBR aren't supported together: https://support.checkpoint.com/results/sk/sk167135 

0 Kudos
DominusRex23
Participant
‎2025-11-04 06:16 PM
In response to PhoneBoy

Hi @PhoneBoy 

Thanks for pointing that out. I actually wasn’t aware of that SK, so I’ll definitely look into it. Just to clarify, this setup is on enterprise Gaia gateways, not SMB appliances (I only used “LAN/WLAN” to describe internal segmentation).

The client’s requirement is zero human intervention in case of ISP failure, but they also want subnet‑specific steering (LAN → ISP‑1, WLAN → ISP‑2) under normal conditions. From what you’re saying, it sounds like ISP Redundancy and PBR can’t be combined, which raises the question:

  • On enterprise gateways, is there a supported way to achieve both automatic failover and subnet‑specific ISP preference without relying on PBR? Or is it really an either/or trade‑off

0 Kudos
PhoneBoy
Admin
Admin
‎2025-11-04 07:26 PM
In response to DominusRex23

You don't need ISP Redundancy for this, you can just use Multiple Default Routes with ECMP and PBR.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_Advanced_Routing_AdminG... 

However, I don't think you can define a different NAT for different ISP with this configuration.
You can do this with Quantum SD-WAN, though.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2025-11-06 05:37 AM
In response to DominusRex23

The best way to achieve your need is to use SD-WAN. SQ-WAN does all the magic, using both ISPs, sent traffic from network A via ISP A and traffic from network B via ISP B. And if one ISP is failing everything is sent via the other. It's simple to configure with SD-WAN policy.

0 Kudos
TurgutKaplanogl
Contributor
Contributor
‎2025-11-06 04:00 AM

Hello,

 

You can fix your issue with SKs without any manuel configuration when ISP link down.

 

For Hide Nat: https://support.checkpoint.com/results/sk/sk174197

For Static Nat: https://support.checkpoint.com/results/sk/sk25152

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events