This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
velo
Collaborator
‎2025-02-21 10:30 AM
Jump to solution

Second ISP

I have a pair of 6200s that I want to add a second ISP. It has a couple of VPNs configured on it to other Checkpoints I manage. My plan is this:

  1. Under the default route there is the option to add multiple next hops with with different priority. I will make the primary as priority as 1 and the backup as 10. I will choose to monitor the default gateway of each next hop.
  2. Setup Link Selection with probing under IPSEC

Any issues seen with this?

Thanks

0 Kudos
1 Solution

Accepted Solutions
AmirArama
Employee
Employee
‎2025-02-23 02:01 AM
Jump to solution

Hi,

let's put things in order.

if you want to work as "legacy", you can set two default routes with different priorities and monitoring as you said, For VPN configure the Link selection with HA. and you good to go.

Legacy, because for internet traffic you will have a failover only once the 'IP Reachability detection' monitored target is DOWN or once your DG will stop responding to ping, and you can work only in Active/Standby mode by this.

if you want to get little more advanced method, you can use ISP Redundancy which provide you the ability to use Load Sharing between the lines for outbound internet, with a couple more features. 

and if you want to get the best out of your multiple lines you can consider Quantum SD-WAN, in which you can benefit from specific steering abilities Per app/DSCP/User/updatable object, etc. advanced SLA configurations, application steering, (soon - Application level QOS), different custom NAT Per ISP configured in a user friendly way. seamless failover in VPN Traffic to another SD-WAN enabled Gateways, and much more.

 

For any method you choose, 'Hide behind GW' should work.
if you need custom Hide to Static NAT Per ISP, you can implement it via ISP Redundancy (not very user friendly way), or via the Quantum SD-WAN Rules in Infinity portal.

View solution in original post

0 Kudos
14 Replies
PhoneBoy
Admin
Admin
‎2025-02-21 02:17 PM
Jump to solution

Does this gateway have any user traffic?
Possible you may need ISP Redundancy here.

0 Kudos
velo
Collaborator
‎2025-02-21 02:59 PM
In response to PhoneBoy
Jump to solution

Yes it has outbound user traffic (internet browsing)  Won't this be taken care of my a second default route? Can you clarify what you mean?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2025-02-21 03:30 PM
In response to velo
Jump to solution

If you have user traffic, you'll likely have to deal with NAT (HIDE NAT in particular).
As NAT rules in SmartConsole cannot be made "per-ISP" (different NAT for different ISP), you need to use ISP Redundancy or Quantum SD-WAN.

(1)
velo
Collaborator
‎2025-02-21 03:51 PM
In response to PhoneBoy
Jump to solution

Thanks. What is the section about "Configure the Cluster to be the DNS server" That makes no sense to me.. Seems like it's not relevant. 

To configure this on SMB firewalls is very easy, you just setup IPSEC link selection for VPNs, and NAT etc just work fine.

0 Kudos
the_rock
Legend
Legend
‎2025-02-21 03:03 PM
Jump to solution

How many external IPs? Or to be precise, how many external interfaces?

Andy

0 Kudos
velo
Collaborator
‎2025-02-21 03:36 PM
In response to the_rock
Jump to solution

Hey Andy

Just two. I have one now and am adding a second one.

Thanks

0 Kudos
the_rock
Legend
Legend
‎2025-02-21 03:50 PM
In response to velo
Jump to solution

In that case, you may need ISP redundancy.

Andy

0 Kudos
velo
Collaborator
‎2025-02-21 03:54 PM
In response to the_rock
Jump to solution

Thanks, I'm reading the docs. The DNS part doesn't make sense but I don't think that's relevant to my setup. I will see if I can lab it. 

Can you explain what I will need to do for outbound NATs? If I have the box ticked under "NAT" to hide internal networks behind Gateway, will this take care of all outbound NAT when there is a failover?

Thanks

Thanks

0 Kudos
the_rock
Legend
Legend
‎2025-02-21 05:10 PM
In response to velo
Jump to solution

Yes, either you can do it that way or with manual nat, whichever works.

Andy

0 Kudos
(1)
AmirArama
Employee
Employee
‎2025-02-23 02:01 AM
Jump to solution

Hi,

let's put things in order.

if you want to work as "legacy", you can set two default routes with different priorities and monitoring as you said, For VPN configure the Link selection with HA. and you good to go.

Legacy, because for internet traffic you will have a failover only once the 'IP Reachability detection' monitored target is DOWN or once your DG will stop responding to ping, and you can work only in Active/Standby mode by this.

if you want to get little more advanced method, you can use ISP Redundancy which provide you the ability to use Load Sharing between the lines for outbound internet, with a couple more features. 

and if you want to get the best out of your multiple lines you can consider Quantum SD-WAN, in which you can benefit from specific steering abilities Per app/DSCP/User/updatable object, etc. advanced SLA configurations, application steering, (soon - Application level QOS), different custom NAT Per ISP configured in a user friendly way. seamless failover in VPN Traffic to another SD-WAN enabled Gateways, and much more.

 

For any method you choose, 'Hide behind GW' should work.
if you need custom Hide to Static NAT Per ISP, you can implement it via ISP Redundancy (not very user friendly way), or via the Quantum SD-WAN Rules in Infinity portal.

0 Kudos
velo
Collaborator
‎2025-02-25 02:34 PM
In response to AmirArama
Jump to solution

Thanks a lot for the detailed response. In the end I ended up using a second default route next hop, combined with IP Reachability Detection. I think setup the Link Monitoring under IPSEC. I also have the box ticked under NAT to hide behind Gateway.

Everything worked great an as expected. 

Thanks

the_rock
Legend
Legend
‎2025-02-25 02:40 PM
In response to velo
Jump to solution

Great job! btw, just be careful with NAT setting, as it is global. if you wish to nat certain networks, do it from the net object itself and make sure disable nat is unchecked within community.

Andy

0 Kudos
velo
Collaborator
‎2025-02-25 02:42 PM
In response to the_rock
Jump to solution

Thanks! 🙂 Yep, understood. Lucky this site is quite straightforward. 

the_rock
Legend
Legend
‎2025-02-25 02:52 PM
In response to velo
Jump to solution

Great! Anywho, just something below to keep in mind 🙂

Andy

Disable NAT Inside the VPN Community

Even if NAT is configured it is possible to disable NAT inside the VPN community. If NAT is disabled, when a host behind a community member opens a connection with another host behind a community member, the original IP addresses are used. Other connections use the translated address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events