Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
leangm
Contributor

ISP redundancy Cluster

Hi everyone,

I have some questions regarding ISP redundancy.

Currently, I have Checkpoint running production version R81.10 with the cluster active/stanby.
On the cluster box, have a configuration like below 
- two ISP links on gateway
- dynamic routing OSPF protocol
- site-to-site vpn 
- remote access vpn
- incoming and outgoing nat

and just want to know if I would like to enable ISP redundancy on the existing cluster box 

What are the challenges to achieving this need?

Thank you 

best regards,

mgl

0 Kudos
4 Replies
_Val_
Admin
Admin

ISP redundancy has quite a few limitations, mostly around SecureXL functionality. I would advise you to review those before making your decision.

0 Kudos
leangm
Contributor

what did you mean by review?

the services running on Checkpint already describe here. 

 

0 Kudos
PhoneBoy
Admin
Admin

What @_Val_ was suggesting was to review the relevant documentation.
However, I think most of those limitations have been resolved in current releases.

0 Kudos
biskit
Advisor

I have this running and it works pretty well.  Remember you still only have one "Default" gateway - e.g ISP-1. 

We statically route some destinations out of ISP-2.  We also use PBR to route some stuff via ISP-2.

ISP Redundancy relies on the ability (or not) to ping upstream IP's to tell if the line is up and healthy or not, and therefore whether to fail over or not.  So remember, if both ISP circuits are from the same telco and that telco have an issue, it could affect the ability for both of the firewall's ISP lines to determine which is healthiest.  I experienced this rather shaky meltdown recently and basically had little option but to wait for the telco to fix their issue.  So for best resilience you want to use different telco's and ensure their cables in the ground don't run up the same street to your building...  You know, the street that has a JCB about to start digging the road up, and both of your ISP lines with it 🙄

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events