Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Destel
Explorer

Static NAT and ISP redundancy

Colleagues, good afternoon.

We have many offices where CheckPoint works as a gateway. Version R77.20 and R77.30.

The offices have DMZ networks. Most often there are two of them - a guest network (Wi-Fi) and a network for meeting rooms. It is required to make sure that guests access the Internet from alternative external addresses (not as corporate employees).

For a certain network, we can selectively configure which address PAT will work from, there are no problems with this.

In CheckPoint SmartDashboard, we create a network, then "Network properties" -> tab "NAT" -> mark "Hide behind IP Address" - <set the IP address>. Installation Policies.

NAT.PNG


But many offices have 2 providers connected (for ISP redundancy). Nodes switch from ISP01 to ISP 02 without any problems, if ISP01 is unavailable. But by specifying an external IP address in PAT (ISP01) for the DMZ network, there is a chance that in the event of an accident, ISP01 will not switch to standby (ISP02), since the ISP01 address is specified in PAT. In fact, the DMZ network will work without a backup provider.

I tried to create 2 networks, N_CHK01_DMZ and N_CHK01_DMZ2 with the same local address (let's say 172.30.72.0/24) and a different PAT address (ISP01 and ISP02). This method did not allow the policy to be installed.

ERROR.png

What other solutions to this problem are there? It is necessary that the DMZ network can switch from ISP01 to ISP02 in automatic mode.

0 Kudos
5 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events