Second ISP

velo

I have a pair of 6200s that I want to add a second ISP. It has a couple of VPNs configured on it to other Checkpoints I manage. My plan is this:

Under the default route there is the option to add multiple next hops with with different priority. I will make the primary as priority as 1 and the backup as 10. I will choose to monitor the default gateway of each next hop.
Setup Link Selection with probing under IPSEC

Any issues seen with this?

Thanks

PhoneBoy

Does this gateway have any user traffic?
Possible you may need ISP Redundancy here.

velo

Yes it has outbound user traffic (internet browsing) Won't this be taken care of my a second default route? Can you clarify what you mean?

Thanks

PhoneBoy

If you have user traffic, you'll likely have to deal with NAT (HIDE NAT in particular).
As NAT rules in SmartConsole cannot be made "per-ISP" (different NAT for different ISP), you need to use ISP Redundancy or Quantum SD-WAN.

velo

Thanks. What is the section about "Configure the Cluster to be the DNS server" That makes no sense to me.. Seems like it's not relevant.

To configure this on SMB firewalls is very easy, you just setup IPSEC link selection for VPNs, and NAT etc just work fine.

the_rock

How many external IPs? Or to be precise, how many external interfaces?

Andy

velo

Hey Andy

Just two. I have one now and am adding a second one.

Thanks

the_rock

In that case, you may need ISP redundancy.

Andy

velo

Thanks, I'm reading the docs. The DNS part doesn't make sense but I don't think that's relevant to my setup. I will see if I can lab it.

Can you explain what I will need to do for outbound NATs? If I have the box ticked under "NAT" to hide internal networks behind Gateway, will this take care of all outbound NAT when there is a failover?

Thanks

the_rock

Yes, either you can do it that way or with manual nat, whichever works.

Andy

AmirArama

Hi,

let's put things in order.

if you want to work as "legacy", you can set two default routes with different priorities and monitoring as you said, For VPN configure the Link selection with HA. and you good to go.

Legacy, because for internet traffic you will have a failover only once the 'IP Reachability detection' monitored target is DOWN or once your DG will stop responding to ping, and you can work only in Active/Standby mode by this.

if you want to get little more advanced method, you can use ISP Redundancy which provide you the ability to use Load Sharing between the lines for outbound internet, with a couple more features.

and if you want to get the best out of your multiple lines you can consider Quantum SD-WAN, in which you can benefit from specific steering abilities Per app/DSCP/User/updatable object, etc. advanced SLA configurations, application steering, (soon - Application level QOS), different custom NAT Per ISP configured in a user friendly way. seamless failover in VPN Traffic to another SD-WAN enabled Gateways, and much more.

For any method you choose, 'Hide behind GW' should work.
if you need custom Hide to Static NAT Per ISP, you can implement it via ISP Redundancy (not very user friendly way), or via the Quantum SD-WAN Rules in Infinity portal.

Are you a member of CheckMates?

Second ISP