Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Destel
Explorer

Static NAT and ISP redundancy

Colleagues, good afternoon.

We have many offices where CheckPoint works as a gateway. Version R77.20 and R77.30.

The offices have DMZ networks. Most often there are two of them - a guest network (Wi-Fi) and a network for meeting rooms. It is required to make sure that guests access the Internet from alternative external addresses (not as corporate employees).

For a certain network, we can selectively configure which address PAT will work from, there are no problems with this.

In CheckPoint SmartDashboard, we create a network, then "Network properties" -> tab "NAT" -> mark "Hide behind IP Address" - <set the IP address>. Installation Policies.

NAT.PNG


But many offices have 2 providers connected (for ISP redundancy). Nodes switch from ISP01 to ISP 02 without any problems, if ISP01 is unavailable. But by specifying an external IP address in PAT (ISP01) for the DMZ network, there is a chance that in the event of an accident, ISP01 will not switch to standby (ISP02), since the ISP01 address is specified in PAT. In fact, the DMZ network will work without a backup provider.

I tried to create 2 networks, N_CHK01_DMZ and N_CHK01_DMZ2 with the same local address (let's say 172.30.72.0/24) and a different PAT address (ISP01 and ISP02). This method did not allow the policy to be installed.

ERROR.png

What other solutions to this problem are there? It is necessary that the DMZ network can switch from ISP01 to ISP02 in automatic mode.

0 Kudos
5 Replies
_Val_
Admin
Admin

This is not how you should do it. Read sk34812 and drill down from there, to make the correct configuration.

Also, All versions below R80.10 are out of support for a long time now. You probably want to upgrade.

 

0 Kudos
Destel
Explorer

Thank you, sk34812 I read.

NAT in the company is working fine (works via "Automatic Hide NAT").

 

FwPolicy_J2vVEmNDNZ.pngFwPolicy_ZDXn6aNPBO.png

 

We are talking about single networks that need to be output not through the default gateway IP address.

Automatic Static NAT also works for DMZ network (i set an external ISP01 IP address other than default gateway IP address), but in cases of ISP01 unavailability, it does not automatically switch to ISP02.

eWnxbrvLfo.png

 

PAK5M1BASa.png

 

Users from the N_CHK 01_DMZ network (172.30.72.0/24) successfully access the Internet via an alternative ISP01 address 01 95.78.xxx.xxx (not default gateway IP address).

Automatic Static NAT also works for DMZ network (i set an external ISP01 IP address other than default gateway IP address), but in cases of ISP01 unavailability, it does not automatically switch to ISP02. We will have to manually change the parameters of N_CHK 01_DMZ and install the policy on the node. After ISP01 starts working, we will have to manually change the parameters of N_CHK 01_DMZ again and install the policy on the node.

We cannot upgrade the equipment to R80.10 yet (the boss does not see the need).

0 Kudos
_Val_
Admin
Admin

Not sure this would work out of the box on R8x either. 

The issue is, to achieve NAT Hide on a non-GW IP, you need to use a Dynamic object for the active ISP NAT-Hide address in the Nat rule, and that IP should be changed when failover happens. Even there, there might be an issue with a n automatic ARP after failover. 

We have a SecureKnowledge article describing ranges for ISPr and scripts to switch those in case of failover. It is sk174197. 

This might work for you, if you replace a range with a single non-GW IP address (effectively /32 range).

Concerning the management decision, having ability to open a support case should be enough reason for me. Do you even have a support contract in place?

(1)
Destel
Explorer

Thank you so much for the answer!

I will study the sk174197, I hope it will help me.

The support contract seems to have been bought, but many years ago. Most likely it is out of date

I'm still just learning how to work with CheckPoint. For me, all this is still unfamiliar. Thank you for your help! I will try to deal with this issue. There may be a workaround.

0 Kudos
_Val_
Admin
Admin

Support contract is renewed every year, to stay valid. And if you are indeed paying that, staying on unsupported version is a bit... silly 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events