This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Collaborator
yesterday

Second ISP

I have a pair of 6200s that I want to add a second ISP. It has a couple of VPNs configured on it to other Checkpoints I manage. My plan is this:

  1. Under the default route there is the option to add multiple next hops with with different priority. I will make the primary as priority as 1 and the backup as 10. I will choose to monitor the default gateway of each next hop.
  2. Setup Link Selection with probing under IPSEC

Any issues seen with this?

Thanks

0 Kudos
9 Replies
PhoneBoy
Admin
Admin
yesterday

Does this gateway have any user traffic?
Possible you may need ISP Redundancy here.

0 Kudos
velo
Collaborator
yesterday
In response to PhoneBoy

Yes it has outbound user traffic (internet browsing)  Won't this be taken care of my a second default route? Can you clarify what you mean?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to velo

If you have user traffic, you'll likely have to deal with NAT (HIDE NAT in particular).
As NAT rules in SmartConsole cannot be made "per-ISP" (different NAT for different ISP), you need to use ISP Redundancy or Quantum SD-WAN.

0 Kudos
velo
Collaborator
yesterday
In response to PhoneBoy

Thanks. What is the section about "Configure the Cluster to be the DNS server" That makes no sense to me.. Seems like it's not relevant. 

To configure this on SMB firewalls is very easy, you just setup IPSEC link selection for VPNs, and NAT etc just work fine.

0 Kudos
the_rock
Legend
Legend
yesterday

How many external IPs? Or to be precise, how many external interfaces?

Andy

0 Kudos
velo
Collaborator
yesterday
In response to the_rock

Hey Andy

Just two. I have one now and am adding a second one.

Thanks

0 Kudos
the_rock
Legend
Legend
yesterday
In response to velo

In that case, you may need ISP redundancy.

Andy

0 Kudos
velo
Collaborator
yesterday
In response to the_rock

Thanks, I'm reading the docs. The DNS part doesn't make sense but I don't think that's relevant to my setup. I will see if I can lab it. 

Can you explain what I will need to do for outbound NATs? If I have the box ticked under "NAT" to hide internal networks behind Gateway, will this take care of all outbound NAT when there is a failover?

Thanks

Thanks

0 Kudos
the_rock
Legend
Legend
yesterday
In response to velo

Yes, either you can do it that way or with manual nat, whichever works.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events