This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
JoSec
Collaborator
‎2024-01-10 10:37 AM

ISP Redundancy (Load Sharing) using PBR and NAT Issue

We just added another ISP for a total of two and want to utilize both for connectivity to the Internet. I am not going to utilize ISP Redundancy configured within the Smart Console since we have VOIP traffic to a third party from that site and have been told utilizing load sharing with VOIP can be an issue, hence, the desire to utilize policy-based routes to keep the VOIP traffic to one ISP and all other traffic can utilize both ISPs by using a PBR with the same priority. The issue I have encountered is we currently have a manual Hide NAT Rule for that network and it is indicated to utilize "Hide Behind Gateway" and Auto NAT. I may not be able to do that since we route traffic from that same network to another location for an external connection through a different Checkpoint Gateway for some other VOIP traffic and it has been indicated to resolve an issue with that connectivity to utilize Auto NAT on the network object with a specific NAT IP we utilize for the remote connectivity to another third party. The issue is that I would then need two Network objects for use on two different gateways using auto NAT with a different configuration for each which I assume will cause issues. Any ideas or am I stuck with having to utilize ISP Redundancy - Primary/Backup and dynamic objects for manual NAT in this scenario for the site with the two ISPs?

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2024-01-10 10:52 AM

ISPR is not supported with PBR, see below under limitations

Andy

https://support.checkpoint.com/results/sk/sk167135

 

point 13

0 Kudos
Matlu
Advisor
‎2024-01-10 03:48 PM
In response to the_rock

Friend,

Is there any difference in the use of "ISP Redundancy" vs "PBR"?

I have 3 ISPs with different segments, and ISP Redundancy is already enabled in "Load Sharing" mode with a "Weight" of 1

ISP 1 200.40.90.128/27
ISP 2 200.23.13.32/27
ISP 3 180.187.181.192/26

We have a ClusterXL environment, and the IPs that are external in our environment are:

ISP 1: 200.40.90.157/27
ISP 2: 200.23.13.61/27
ISP 3: 180.187.181.196/26

What we want is to be able to use ISP Redundancy, but "calling" IPs that are not the External IPs that are currently configured in the Firewall.

For example, it would be using these "free" IPs from the same public segment of 2 of my ISPs.

ISP 2: 200.40.90.154
ISP 3: 180.187.181.217

Is it possible to use ISP Redundancy, with IPs that are not the ones configured as "External" in the Firewalls?

Is it more viable to get certain traffic through one or the other link, maybe using PBR?

Best regards.

0 Kudos
the_rock
Legend
Legend
‎2024-01-10 04:07 PM
In response to Matlu

Hey bro,

I assume if ISPR is load sharing, load would be distributed among the active links, unline with HA config. Now, as far as PBR, if its active, those entries would actually take presedence over the regular static route entries.

You were asking if its possible to use ISP redundancy with IPs not configured as external? I think in smart console object, you can use any available link under ispr tab, but then, if you think about it, sort defeats the purpose if there is ever a failure if those links cant be used for say site to site VPN config (just as an example)

Best,

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events