AnsweredAssumed Answered

PBRs and ISP redundancy on SMB appliances

Question asked by Pedro Espindola on Feb 15, 2018
Latest reply on Mar 9, 2018 by Pedro Espindola

Like • Show 2 Likes2
Comment • 5

Hello everyone,

I have a centrally managed 1470 appliance with 2 internet connections in High Availatbility:

1. A adsl link connected to DMZ port and ISP redundancy priority 1

2. A dedicated link connected to WAN port and ISP redundancy priority 2

Link 1 is fast and great for users, but has upload limit and is unreliable for publications. So I tried to configure a PBR for the dmz network to use link 2:

dst:Any src:172.16.30.0/24 port:Any next-hop:Link2

I also configured automatic static NAT in the corresponding object in SmartConsole.

The problem is that when the server tries to reach the internet for updates and other checks it will use the correct link for a while and then start to fail. When this happens, fw monitor shows this:

o:WAN

O:DMZ

Access from the internet to the server continues to work.

Restarting the internet connection solves the problem for a few hours.

I also tried using the external network gateway:

dst:Any src:172.16.30.0/24 port:Any next-hop:<external-gateway>

What am I doing wrong?

Günther W. Albrecht Feb 21, 2018 1:27 AM

Correct Answer

This is supported according to Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.75 p.58:

ISP Redundancy - supported in IPv4 connections only
Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.
- Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.

And that is not all - i know of customers using this feature successfully, too !

See the reply in context

No one else had this question

Outcomes

Dameon Welch-Abernathy

Feb 16, 2018 1:27 PM

At least on regular appliances, ISP Redundancy and PBR are mutually exclusive.

That may be the case here... have you opened a case with TAC?

Contact Support | Check Point Software

Actions

Pedro Espindola @ Dameon Welch-Abernathy on Feb 20, 2018 10:30 AM

I see. But then why give us this option?

I will open a service request, but I wanted to open this discussion about the differences between SMB and regular appliances and the usage of these features.

Actions

Günther W. Albrecht Feb 21, 2018 1:27 AM

This is supported according to Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.75 p.58:

And that is not all - i know of customers using this feature successfully, too !

4 people found this helpful

Actions

Günther W. Albrecht Mar 7, 2018 4:26 AM

Did you get the issue resolved yet?

Actions

Pedro Espindola @ Günther W. Albrecht on Mar 9, 2018 6:12 AM

Yes. After I unchecked the box "Route traffic through this connection by default" the issue seems to be resolved.

Thank you very much!

Actions

5 Replies

Dameon Welch-Abernathy Feb 16, 2018 1:27 PM
Mark Correct
Correct Answer
At least on regular appliances, ISP Redundancy and PBR are mutually exclusive.
That may be the case here... have you opened a case with TAC?
Contact Support | Check Point Software
Like • Show 1 Like1
Actions
- Pedro Espindola @ Dameon Welch-Abernathy on Feb 20, 2018 10:30 AM
  Mark Correct
  Correct Answer
  I see. But then why give us this option?
  
  I will open a service request, but I wanted to open this discussion about the differences between SMB and regular appliances and the usage of these features.
  Like • Show 0 Likes0
  Actions
Günther W. Albrecht Feb 21, 2018 1:27 AM
Unmark Correct
Correct Answer
This is supported according to Check Point 1100/1200R/1400 Appliances Centrally Managed Administration Guide R77.20.75 p.58:

ISP Redundancy - supported in IPv4 connections only
Multiple Internet connections can be configured in High Availability or Load Sharing modes. When you configure more than one Internet connection, the Device > Internet page lets you toggle between these options. The Advanced setting of each Internet connection lets you configure each connection's priority or weights based on the set mode.
- Clear the Route traffic through this connection by default checkbox when you do not want this Internet connection used as a default route for this gateway. The connection is used by the device only if specific, usually service-based, routing rules are defined for it. This is commonly used when you have a connection that is used for dedicated traffic. When you clear this option, this connection does not participate in High Availability or Load Balancing.

And that is not all - i know of customers using this feature successfully, too !
4 people found this helpful
Like • Show 1 Like1
Actions
Günther W. Albrecht Mar 7, 2018 4:26 AM
Mark Correct
Correct Answer
Did you get the issue resolved yet?
Like • Show 0 Likes0
Actions
- Pedro Espindola @ Günther W. Albrecht on Mar 9, 2018 6:12 AM
  Mark Correct
  Correct Answer
  Yes. After I unchecked the box "Route traffic through this connection by default" the issue seems to be resolved.
  
  Thank you very much!
  Like • Show 1 Like1
  Actions

PBRs and ISP redundancy on SMB appliances

Outcomes

Related Content

Recommended Content

Incoming Links