Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
seginf_jfce
Participant

Two ISP's with two appliances 4800 R80.10

Hello guys,

My scenario is as follows: I have two 4800 appliances and now two different ISPs. Each ISP connects to only 1 gateway. Can I work with both in active / standby? Remembering that each ISP connects to 1 gateway and not both. Does ISP redundancy do this? I would like to leave a working ISP and if it goes offline, the backup goes online. My biggest doubt is that if the main ISP that is in the active gateway falls, there will be a connection to the other ISP in the Firewall standby.

My solution:

- 2 Checkpoint 4800 appliance;

- R80.10 version firewall and managment;

Thanks.

15 Replies
PhoneBoy
Admin
Admin

This exact question came up here: https://community.checkpoint.com/thread/10663-checkpoint-cluster-failover-query 

TL;DR: It doesn't work that way.

G_W_Albrecht
Legend Legend
Legend

Easy - use HA Cluster and ISP redundancy !

- if the active cluster node fails, standby will take over, keeping the primary ISP

- if primary ISP fails, secondary will take over

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
seginf_jfce
Participant

Will the ISP redundancy work with the schema that each ISP is physically connected on only 1 appliance?

The scenario is:

Firewall 1 -> ISP 1

Firewall 2 -> ISP 2

Only 1 port per ISP on 1 firewall and not both ISPs are on both appliances.

If the active firewall 1 fails, which has ISP 1 connected, will traffic be thrown to Firewall 2, which does not have ISP 1 connected?

0 Kudos
PhoneBoy
Admin
Admin

No, this is not a supported configuration.

Please refer to the thread I linked previously, which discusses this exact issue.

seginf_jfce
Participant

That's what I thought. I have to physically connect the two ISPs on both appliances for redundancy.

Thanks everyone.

0 Kudos
Aidan_Luby
Collaborator

Are the firewalls in the same location? We connect our ISP's to a switch then you can connect those WAN VLAN's to both the firewall appliances. If your ISP's both only give you one IP you can still use those just as the VIP's then use a different addressing scheme for the physical IP's.

So you can have ISP1 > Switch on vlan 1 > both checkpoints on VLAN 1 and setup physical IP's and a VIP for this vlan then do the same with a different VLAN/IP's for the other ISP connection.

seginf_jfce
Participant

Hello Aidan,

The topology will look like this: ISP 1, located on DC1, connected to a core switch in VLAN X which in turn will connect to port X of FW1. ISP 2, located on DC2, connected to a core switch on the VLAN Y which in turn will connect to the FW2's X port. These switches are stacked, that is, they are part of the same "unit". In this way, what is the best approach for both ISPs to be connected, whether redundant or active?

Firewalls in active/standby mode or active/active ?

And about configuration of rules, NATs, static routes ?

Thanks.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is an unsupported configuration and ClusterXL will not work. Please explain why you can not use a standard ClusterXL ISP Redundany / LS configuration!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
seginf_jfce
Participant

As I explained above, can I use ISP Redundancy? Isps arrive on each side, connected to VLANs -> FW?

0 Kudos
PhoneBoy
Admin
Admin

ISP Redundancy requires both ISPs to be reachable from both gateways.

If that is not the case with your configuration, it will not work.

0 Kudos
seginf_jfce
Participant

Even every ISP having reach to the other side via switch / vlan? The core stack is interconnected between the DCs via fiber channel.

0 Kudos
PhoneBoy
Admin
Admin

If the switch/VLAN configuration allow both gateways to reach both ISPs, then yes.

A proposed network diagram would be helpful to confirm.

0 Kudos
seginf_jfce
Participant

Topology

0 Kudos
PhoneBoy
Admin
Admin

It looks as if that should work.

0 Kudos
HristoGrigorov

Be careful when you are thinking what you define as ISP being "offline".

It is either problem on physical layer (port goes down for whatever reason) or on protocol layer (default gateway or any other along the path fails). First one it is in fact the best to happen. Second one will require that you monitor certain hosts on the Internet and initiate fail-over should certain criteria is satisfied. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events