- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Good day everyone.
Setting up ISP redundancy in primary/backup mode for a few clusters and i'm wondering what the correct approach is for the advanced\monitored hosts config.
primary link is a DIA circuit from AT&T , and backup link is a cable modem from comcast.
For the monitored hosts, are these just universally reachable targets like 8.8.8.8?? Or more targeted like the AT&T DNS server for link 1 and comcast DNS server for link 2?
Appreciate any insight.
thanks.
Just use google dns, I had few customers do it and works fine. Fortinet does same thing. But yes, you could use targeted ones as well.
Thanks, but maybe i'm not understanding how this works. Currently eth4 is the primary DIA link, and eth5 is the backup cable modem. I added the cogent DNS server as the primary monitored host, and the comcast DNS server as the backup monitored host. After pushing policy, i'm seeing the attached - ICMP requests to both of the monitored hosts sourced only from eth4.
I assumed i would see eth4 polling its monitored host, and eth5 polling comcast?? Does this seem correct?
thanks
Im pretty positive what you got is right...you wont see anything on backup link, thats totally normal. Its sort of like if you configured say bgp on a cluster, show bgp peers would only show established on master, never on backup.
If you run ISP redundancy in LoadSharing mode both links are using their configured monitored hosts for probing. With HA it works like mentioned @the_rock .
Gents, thanks for the help, it seems like it's working normally. Next time i'm at that location i'll pull the cable and see if it does what it should.
@D_TK With "fw isp_link <Name of ISP link> {up | down}" you can change the state of one of the ISP links to test failover.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY