Colleagues, good afternoon.
We have many offices where CheckPoint works as a gateway. Version R77.20 and R77.30.
The offices have DMZ networks. Most often there are two of them - a guest network (Wi-Fi) and a network for meeting rooms. It is required to make sure that guests access the Internet from alternative external addresses (not as corporate employees).
For a certain network, we can selectively configure which address PAT will work from, there are no problems with this.
In CheckPoint SmartDashboard, we create a network, then "Network properties" -> tab "NAT" -> mark "Hide behind IP Address" - <set the IP address>. Installation Policies.
But many offices have 2 providers connected (for ISP redundancy). Nodes switch from ISP01 to ISP 02 without any problems, if ISP01 is unavailable. But by specifying an external IP address in PAT (ISP01) for the DMZ network, there is a chance that in the event of an accident, ISP01 will not switch to standby (ISP02), since the ISP01 address is specified in PAT. In fact, the DMZ network will work without a backup provider.
I tried to create 2 networks, N_CHK01_DMZ and N_CHK01_DMZ2 with the same local address (let's say 172.30.72.0/24) and a different PAT address (ISP01 and ISP02). This method did not allow the policy to be installed.
What other solutions to this problem are there? It is necessary that the DMZ network can switch from ISP01 to ISP02 in automatic mode.