Open Frames Download Complete PDF Send Feedback Print This Page

Previous

Next

ISP Redundancy

In This Section:

ISP Redundancy Modes

SmartDashboard Toolbar

Configuring ISP Redundancy

Make Internet connectivity more reliable with ISP Redundancy. This connects a Security Gateway or cluster member to the Internet through redundant Internet Service Provider (ISP) links.

ISP Redundancy Modes

ISP Redundancy monitors the ISP links and chooses the best current link. You can configure this choice to be for Load Sharing or Primary/Backup.

Item

Description

1

Security Gateway

2

Link A to the ISP

3

Link B to the ISP

ISP Redundancy monitors the links and directs the connection. You can configure this choice to be for Load Sharing or Primary/Backup.

  • Load Sharing: Uses the two links with a distributed load of connections going out from the Security Gateway. Connections coming in are alternated. You can configure best relative loads for the links (set a faster link to handle more load). New connections are randomly assigned to a link. If one link fails, the other takes the load.
  • Primary/Backup: Uses one link for connections going out from the Security Gateway and coming in. It switches to the backup if the primary link fails. When the primary link is restored, new connections are assigned to it. Existing connections continue on the backup link until they are complete.

SmartDashboard Toolbar

You can use the SmartDashboard toolbar to do these actions:

Icon

Description

Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu.

For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option.

Save current policy and all system objects.

Open a policy package, which is a collection of Policies saved together with the same name.

Refresh policy from the Security Management Server.

Open the Database Revision Control window.

Change global properties.

Verify Rule Base consistency.

Install the policy on Security Gateways or VSX Gateways.

Open SmartConsole.

Configuring ISP Redundancy

If you configure VPN Link Selection settings on the Security Gateway, ISP Redundancy settings override them.

To enable ISP Redundancy:

  1. Open the network object properties of the Security Gateway or cluster.
  2. Click Other > ISP Redundancy.
  3. Select Support ISP Redundancy.
  4. Select Load Sharing or Primary/Backup.
  5. Configure the links.
  6. Configure the Security Gateway to be the DNS server.
  7. Configure the policy for ISP Redundancy.

Configuring the ISP Links

Before you begin, make sure you have the ISP data - the speed of the link and next hop IP address. If the Security Gateway has only one external interface, configure two subnets on this interface. You will need routers and a switch.

If the Security Gateway has two external interfaces in the Topology page of the gateway object, you can configure the links automatically.

If the gateway is a ClusterXL cluster member, configure the two cluster members to the two ISP. Use a LAN with two interfaces. Make sure the member interfaces are on the same subnet as the cluster external interfaces.

To configure ISP links automatically:

  1. In the ISP Redundancy page, click Set initial configuration.

    The ISP Links are added automatically.

  2. For Primary/Backup, make sure the primary interface is first in the list. Use the arrows to change the order.

To configure ISP links manually:

  1. In the ISP Redundancy page, click Add.
  2. In the ISP Link window, give the link a name.

    Note the names you give here. They are used in the ISP Redundancy script and commands.

  3. Select the interface of the Security Gateway for this ISP link.
    • If the Security Gateway has two external interfaces, set each link to a different interface. If one of the ISP links is dialup connection to a backup ISP, configure the ISP Redundancy Script.
    • If the Security Gateway has only one external interface, set each ISP link to connect to this interface.
  4. Configure the next hop.
    • If the Security Gateway has two external interfaces, leave this field empty and click Get from routing table. The next hop is the default gateway.
    • If the Security Gateway has one external interface, set each ISP link to a different next hop router.
  5. For Load Sharing, enter the weight. For equal weight distribution, enter 50. If one link is faster, raise this value and lower it for the other link, so that the two equal 100.
  6. Define hosts to be monitored, to make sure the link is working. Open the Advanced tab of the ISP Link window, and select hosts to add.

Configuring Security Gateway as DNS

The Security Gateway, or a DNS server behind it, must respond to DNS queries. It resolves IP addresses of servers in the DMZ (or another internal network).

Get a routable IP address from each ISP. If routable IP addresses are not available, register the domain to make the DNS server accessible from the Internet.

To enable DNS on the Security Gateway:

  1. Select Enable DNS Proxy.

    The gateway intercepts Type A DNS queries for the web servers in its domain, that come from external hosts. If the Security Gateway recognizes the external host, it replies:

    • In Load Sharing mode, the Security Gateway replies with two addresses, alternating their order.
    • In Primary/Backup mode, the Security Gateway replies with the addresses of the active link.

    If the Security Gateway does not recognize the host, it passes the DNS query on to the original destination or to the domain DNS server.

  2. Click Configure.
  3. Add your DMZ or web servers. Give each two routable IP addresses, one for each ISP.
  4. Enter a number of seconds in DNS TTL.

    This sets a Time To Live for each DNS reply. DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.

  5. Configure Static NAT to translate the routable addresses to the real server address. External clients use one of the two addresses.

    Note - If the servers use different services (for example, HTTP and FTP), you can use NAT only for two routable IP addresses.

  6. Define a firewall rule: allow DNS traffic through the Security Gateway using the domain_udp service.

To register the domain and get IP addresses:

  1. Register your domain with the two ISP.
  2. Tell the ISP the two addresses of the DNS server that respond to DNS queries for the domain.
  3. For each server in the DMZ, get two routable IP addresses, one from each ISP.
  4. In SmartDashboard, open Global Properties > NAT and select Manual NAT rules - Translate destination on client side.

Configure the Firewall

The Firewall must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.

To configure the firewall for ISP Redundancy:

  1. In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.
  2. Select Hide and Hide behind Gateway.
  3. Click OK.
  4. Define rules for publicly reachable servers (web servers, DNS servers, DMZ servers).

    If you have one routable IP address from each ISP for the Security Gateway, define Static NAT. Allow specific services for specific servers. For example, make rules so that incoming HTTP connections from the two ISP reach a Web server, and DNS traffic from the ISP reach the DNS server.

Example: Manual Static Rules for a Web Server and a DNS Server

 

Original

 

 

Translated

 

Comment

Source

Destination

Service

Source

Destination

Serv.

 

Any

IP of web server

http

=

10.0.0.2 (Static)

=

Incoming Web - ISP A

Any

IP of web server

http

=

10.0.0.2 (Static)

=

Incoming Web - ISP B

Any

IP of DNS server

domain_udp

=

10.0.0.3 (Static)

=

Incoming DNS - ISP A

Any

IP of DNS server

domain_udp

=

10.0.0.3 (Static)

=

Incoming DNS - ISP B

If you have a routable address from each ISP for each publicly reachable server (in addition to the Security Gateway), define NAT rules:

  1. Give each server a non-routable address.
  2. Use the routable addresses in the Original Destination.
  3. Use the non-routable address in the Translated Destination.
  4. Select Any as the Original Service.

Note - If using Manual NAT, automatic arp does not work for the NATed addresses. On Linux and SecurePlatform use local.arp. On IPSO set up Proxy ARP.

When done, install the policy.

Configuring with VPN

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link. The settings in the ISP Redundancy page override settings in the Link Selection page.

To configure ISP Redundancy with VPN on one Security Gateway:

  1. In Topology > ISP Redundancy, select Apply settings to VPN traffic.
  2. In IPsec VPN > Link Selection, see that Use ongoing probing shows the mode of the ISP Redundancy: Load Sharing or High Availability (for Primary/Backup).

    Link Selection now only probes the ISP configured in ISP Redundancy.

To configure for VPN with a third-party peer:

If the Security Gateway peer is not a Check Point computer or appliance, the VPN may fail, or the third-party device may continue to encrypt traffic to a failed link.

  • Make sure the device recognizes encrypted traffic from the secondary link as coming from the gateway.
  • Change the configuration of ISP Redundancy to not use these Check Point technologies:
    • Use Probing - Make sure that Link Selection uses another option.
    • Load Sharing, Service Based Link Selection, Route based probing - Work only on Check Point Security Gateways. If used, the Security Gateway uses one link to connect to the third-party peer. The link with the highest prefix length and lowest metric is used.

Force ISP Link State

Use the fw isp_link command to force the ISP link state to Up or Down. Use this to test installation and deployment, or to force the Security Gateway to recognize the true link state if it cannot (the ISP link is down but the gateway sees it as up).

You can run this command on the Security Gateway or the Security Management Server: fw isp_link [target-gw] <link_name> {up|down}

<link_name> is the name in the ISP Link window.

Editing the ISP Redundancy Script

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs. It changes the default route of the Security Gateway. For example, you can force the Security Gateway to change the state of a dialup interface to match that state of its ISP link.

Edit this script to enable a dialup connection for one of the ISP links.

To configure a dialup connection:

  1. In the script on the Security Gateway, enter the command to change the dialup interface state:
    • If the link goes down: fw isp_link <link_name> down
    • If the link goes up: fw isp_link <link_name> up
  2. If you use PPPoE or PPTP xDSL modems, in the PPPoE or PPTP configuration of SecurePlatform, the Use Peer Gateway option must not be selected.
 
Top of Page ©2015 Check Point Software Technologies Ltd. All rights reserved. Download PDF Send Feedback Print