This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andy1977
Explorer
‎2024-02-09 07:53 AM
Jump to solution

VPN link selection with multiple ISP on different cluster members

I'm new to Checkpoint gateway and see if someone could help to answer the below questions. Much appreciated.

Site A has a pair of gateways that formed a simple active-standby Cluster. Each gateway member has its own ISP internet connection. Only 1 internal network interface was formed HA. So the Cluster topology will look like this:

LAN1: 192.168.1.1 (Cluster VIP)
LAN2: Sync port
WAN1: 10.10.10.1 (ISP1, External, monitored private, on cluster member 1)
WAN2: 172.10.10.1 (ISP2, External, monitored private, on cluster member 2)

A star VPN community was created with standard settings to a peer firewall gateway, tunnels are permanent.

In peer gateway, an Externally Managed Checkpoint Gateway object was created for Site A and topology was defined properly. Since Site A cluster has two internet connections, in IPSec VPN > Link Selection, I selected use probing link redudancy mode in HA mode. The two IP addresses 10.10.10.1 and 172.10.10.1 are keep ongoing probing. And in Link Selection > Source IP Address Settings, it use default Automatic.

After the setup, VPN tunnels are up and all connections looks fine. But there is always 3-4 PING lost in around every 1,000 PINGS.

Q1: I found there are packet named tunnel_test from peer gateway send to Site A cluster, I believe these are packets for probing. But I didn't see Site A cluster receive any these traffic. Instead, Site A cluster drops a number of UDP 17 packets. May I know what are these UDP 17 packets for?

Q2: In Link Selection > Source IP Address Settings, should I use default Automatic or Manual > IP addresses of chosen interface when the peer cluster has two external IPs but each on different cluster member?

Q3: An Externally Managed Checkpoint Gateway object refers to a gateway or a Host which has Check Point software (Gaia) installed on it. Does this software also include Gaia Embedded? If the peer gateway is SMB, should  I still use Externally Managed Checkpoint Gateway object to define it?

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend
‎2024-02-09 10:08 AM
Jump to solution

That sounds way too complicated as @AmirArama indicated. This is how I did it in the lab on Azure and works totally fine.

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

View solution in original post

0 Kudos
4 Replies
AmirArama
Employee
Employee
‎2024-02-09 09:10 AM
Jump to solution

If you are using HA type cluster. Im not sure why you configured the ISPs like that. And i'm not sure it's supported configuration.

You should configure both ISPs on both members with a VIP.

so you connect ISP1 via switch or router with LAN interfaces to eth0 for example of both members. Configure physical ip and vip. Do the same for ISP2 on eth1 for example.

Configure link selection.

Install the policy.

Andy1977
Explorer
‎2024-02-10 04:34 AM
In response to AmirArama
Jump to solution

I know building HA on both ISP and use ISP redundancy is a more proper way. This is also the first approach I used but then there are packet loss between the two ISPs. At the end, I changed to each cluster member uses a different ISP and only the internal interface was HA. Running this configuration for two weeks, and so far no issue other than sometimes few PING lost in VPN tunnels. So cluster member using different ISP is not a supported configuration? I will open a support ticket for checking then. Thanks.

0 Kudos
the_rock
Legend
Legend
‎2024-02-10 05:54 AM
In response to Andy1977
Jump to solution

I am pretty sure its NOT supported, but I could be mistaken, would not be first or last time lol

Anyway, yes, your best bet is to open the support TAC case to verify.

Have a nice weekend.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-09 10:08 AM
Jump to solution

That sounds way too complicated as @AmirArama indicated. This is how I did it in the lab on Azure and works totally fine.

Andy

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events