- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Dual ISP and SIC management
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dual ISP and SIC management
Hello mates,
I need your advice. The customer has 3600HA which are managed over the Internet via public IP. So SIC and policy install is going from SMS to cluster via External Public IP of the cluster.
Now the fun part. They have two ISP, with two separate IP pools. Is there any way how to configure management SIC or the object of GW to use any HA for management? I know what happens if ISP A fail, is there way to transfer SIC and policy install to ISP B?
When ISP A fail:
Doing some manual dNAT for GW IP at SMS side? Change traffic to ISP B?
Change IP of cluster in SmartConsole and install?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is doing the ISP Redundancy/NAT in this case: a Check Point gateway or something else?
Either way, this SK is probably relevant: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
To be clear, SIC is based on certificates, so doesn’t care so much about the IP used.
However, the IP the gateway connects to for logging and the IP allowed via implied rules is definitely relevant.
I suspect this will require modifying the masters file to achieve (mentioned in the above SK), though I’m not 100% sure you can specify two IPs for management.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently, there is not any NAT in place, SMS has public IP and GW Cluster has two external eths with two public IPs from both ISP. ISP loadbalance is configured on CP Cluster. Cluster has main IP from ISP A, so policy install and SIC communication is realized to ISP A public IPs. The question is what happens if ISP A fail? How to install policy via ISP B public IP?
My assumption which might work when ISP - A fail:
Doing some temporal manual dNAT (x.x.x.x - ISP A to y.y.y.y - ISP B) for connection from SMS to GW
or Change IP of cluster to public IP from ISP B in SmartConsole and try install policy?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would change the Main IP of the cluster in this case and push policy.
Assuming the SMS IP doesn't change, that should be all that is required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can confirm that its working, just change IP of cluster and its members and you are good go, then policy install. Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi ,
Once ISP1 goes down, do I alway need to change the main IP of Gateway on the Smartconsole to push the policy or make sure Gateway send the logging? Is there any automatic method for that?
BR
Ercan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, not at this time.
Note that when the primary ISP goes down, the gateway should store logs locally until the primary ISP comes back up and can re-establish a logging connection.
Which means the logs won't actually be lost, they will just not be available while ISP2 is the active one.