- Products
- Learn
- Local User Groups
- Partners
- More
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
Join our TechTalk: Malware 2021 to Present Day
Building a Preventative Cyber Program
Be a CloudMate!
Check out our cloud security exclusive space!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hello community,
After replacing the current 4200 gateways running 77.30 by a new ones 5200 running R88.10, the multi-isp set up no longer works. The gateways, running a Cluster XL cluster are connected to two different ISPs and perform NAT depending on the target ISP. We copied all the GAIA configurations from the old gateways to the new ones and the cpisp_update script. No IP or route changes, pure gateway replacement without config changes.
To support this NAT, we added the following dynamic objects:
dynamic_objects -n DYN_ISP_Vodafone
dynamic_objects -n DYN_ISP_Colt
dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a
dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a
We confirmed the objects exist running the command dyn_objects -l
These dynamic objects are used in two different NAT rules for hiding the traffic as follows:
NAT Rule Vodafone:
Original Source: “Internal Networks”
Original Destination: “DYN_ISP_Vodafone”
Traslated Source: “Vodafone-Public-IP”
Traslated Destination: “Original”
NAT Rule Colt:
Original Source: “Internal Networks”
Original Destination: “DYN_ISP_Colt”
Traslated Source: “Vodafone-Colt-IP”
Traslated Destination: “Original”
To dynamically adjust the NAT according to the active ISP, we modified the cpisp_update script by adding the following commands at the end of the file:
# Verify which link is up with this command: tail -f /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo `/bin/date +%d-%b-%Y_%Hh-%Mm-%Ss` >> /tmp/cpisp_state
echo "RESTARTING SCRIPT" >> /tmp/cpisp_state
echo "LINK1" >> /tmp/cpisp_state
echo $LINK1_STATE >> /tmp/cpisp_state
echo "LINK2" >> /tmp/cpisp_state
echo $LINK2_STATE >> /tmp/cpisp_state
echo "--------------------------" >> /tmp/cpisp_state
echo " " >> /tmp/cpisp_state
# Check if the Link is up or down
if ($LINK2_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 0.0.0.0 -a
endif
if ($LINK1_STATE == "down") then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -d
dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 0.0.0.0 -a
endif
# if both Links are up, return to Load Sharing
if (($LINK1_STATE == "up") && ($LINK2_STATE == "up")) then
fw tab -t dynobj_cache -x -y
dynamic_objects -o DYN_ISP_Colt -r 0.0.0.0 255.255.255.255 -a
dynamic_objects -o DYN_ISP_Vodafone -r 0.0.0.0 255.255.255.255 -a
endif
We can confirm it is a NAT issue because if we replace the above NAT rules by other using “any” instead of the dynamic object as the “Original Destination” it works, but not for the secondary ISP.
Current setup: 2 x 4200 gateways running R77.30 -> Multi-ISP Working
New setup: 2 x 5200 gateways running R80.10 Jumbo hotfix take169 -> Multi-ISP not working.
Regards.
What does the dynamic_objects -l command say on both sets of gateways?
They showed 0.0.0.0 0.0.0.0. It looks like the script is not correctly
updating the objects. I triggered the script manually by disabling one of
the ISP. That script is working in the current gateways. Any changes on
R80.10?
On Sat, 23 Feb 2019, 12:31 Dameon Welch-Abernathy, <
Not aware of any changes here.
It might be worth a TAC case.
We managed to get the dynamic_objects working and now outgoing traffic is working, however incoming traffic for static NATs using the secondary ISP no longer works. This was working prior to the upgrade. Any ideas?
dynamic_objects -l looks like this:
object name : DYN_ISP_Vodafone
range 0 : 0.0.0.0 255.255.255.255
object name : DYN_ISP_Colt
range 0 : 0.0.0.0 255.255.255.255
Regards.
Did you open a TAC case as I previously suggested?
Yes, I have an opened case but in parallel wanted to get more options while
the support team finds what's going on.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY