Configuring ISP Redundancy on a Security Group
-
Connect with SmartConsole
Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security Group A logical group of Security Gateway Modules that provides Active/Active cluster functionality. A Security Group can contain one or more Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway.. -
From the left navigation panel, click Gateways & Servers.
-
Open the applicable Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object. -
Click Other > ISP Redundancy.
-
Select Support ISP Redundancy.
-
Select the redundancy mode - Load Sharing or Primary/Backup.
-
Configure the ISP Links.
Procedure
Make sure you have the ISP data - the speed of the link and next hop IP address.
Automatic vs Manual configuration:
-
If the Security Gateway object has two interfaces with the Topology "External" in the Network Management page, you can configure the ISP links automatically.
Configuring ISP links automatically
-
Click Other > ISP Redundancy.
-
Click Set initial configuration.
The ISP Links are added automatically.
-
For Primary/Backup mode, make sure the Primary interface is first in the list. Use the arrows on the right to change the order.
-
Click OK.
-
-
If the Security Gateway object has only one interface with the Topology "External" in the Network Management page, you must configure the ISP links manually.
Configuring ISP links manually
-
Click Other > ISP Redundancy.
-
In the IPS Links section, click Add.
The ISP Link window opens.
-
Click the General tab.
-
In the Name field, enter a name of this link (desired text).
The name you enter here is used in the ISP Redundancy commands (see Controlling ISP Redundancy from CLI).
-
Select the Interface of the Security Gateway for this ISP link.
-
If the Security Gateway object has two interfaces with the Topology "External" in the Network Management page, set each ISP link to a different interface.
If one of the ISP links is the connection to a backup ISP, configure the ISP Redundancy Script (see Controlling ISP Redundancy from CLI).
-
If the Security Gateway object has only one interface with the Topology "External" in the Network Management page, set each ISP link to connect to this interface.
-
-
Configure the Next Hop IP Address.
-
If the Security Gateway object has two interfaces with the Topology "External" in the Network Management page, leave this field empty and click Get from routing table. The next hop is the default gateway.
-
If the Security Gateway object has only one interface with the Topology "External" in the Network Management page, set each ISP link to a different next hop router.
-
-
For ISP Redundancy in Load Sharing mode, enter the Weight value.
For equal traffic distribution between the two IPS
Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). link, enter 50 in each ISP link.If one ISP link is faster, increase this value and decrease it for the other ISP link, so that the sum of these two values is always equal 100.
-
Click the Advanced tab.
-
Define hosts to be monitored, to make sure the link is working.
Add the applicable objects to the Selected hosts section.
-
Click OK.
-
-
-
Configure the Security Gateway to be the DNS server.
Procedure
The Security Gateway, or a DNS server behind it, must respond to DNS queries.
It resolves IP addresses of servers in the DMZ (or another internal network).
Get a public IP address from each ISP.
If public IP addresses are not available, register the domain to make the DNS server accessible from the Internet.
The Security Gateway intercepts DNS queries "Type A" for the web servers in its domain that come from external hosts.
-
If the Security Gateway recognizes the external host, it replies:
-
In ISP Redundancy Load Sharing mode, the Security Gateway replies with two IP addresses, alternating their order.
-
In ISP Redundancy Primary/Backup mode, the Security Gateway replies with the IP addresses of the active ISP link.
-
- If the Security Gateway does not recognize the host, it passes the DNS query on to the original destination, or to the domain DNS server.
To enable the DNS server:
-
Click Other > ISP Redundancy.
-
Select Enable DNS Proxy.
-
Click Configure.
-
Add your DMZ or Web servers. Give each server two public IP addresses - one from each ISP.
-
In the DNS TTL, enter a number of seconds.
This sets a Time To Live for each DNS reply.
DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.
-
Click OK.
-
Configure Static NAT to translate the public IP addresses to the real server's IP address.
External clients use one of the two IP addresses.
Note - If the servers use different services (for example, HTTP and FTP), you can use NAT for only two public IP addresses.
-
Define an Access Control Policy rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:Name
Source
Destination
VPN
Services & Applications
Action
Track
Install On
DNS Proxy
Applicable sources
Applicable DNS Servers
Anydomain_udpAcceptNonePolicy Targets
To register the domain and get IP addresses:
-
Register your domain with the two ISP.
-
Tell the ISP the two IP addresses of the DNS server that respond to DNS queries for the domain.
-
For each server in the DMZ, get two public IP addresses, one from each ISP.
-
In SmartConsole, click Menu > Global properties.
-
From the left tree, click NAT - Network Address Translation.
-
In the Manual NAT rules section, select Translate destination on client side.
-
Click OK.
-
-
Configure the Access Control Policy for ISP Redundancy.
Procedure
The Access Control Policy must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.
-
In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.
-
Select Hide behind the gateway.
-
Click OK.
-
Define rules for publicly reachable servers (Web servers, DNS servers, DMZ servers).
-
If you have one public IP address from each ISP for the Security Gateway, define Static NAT.
Allow specific services for specific servers.
For example, make NAT rules, so that incoming HTTP connections from the two ISPs reach a Web server, and DNS traffic from the ISP reach the DNS server.
Example: Manual Static Rules for a Web Server and a DNS Server
-
If you have a public IP address from each ISP for each publicly reachable server (in addition to the Security Group), define NAT rules:
-
Give each server a private IP address.
-
Use the public IP addresses in the Original Destination.
-
Use the private IP address in the Translated Destination.
-
Select Any as the Original Service.
-
-
Note - If you use Manual NAT, then automatic ARP does not work for the IP addresses behind NAT. You must configure the
local.arpfile as described in sk30197. -
-
Install the Access Control Policy on this Security Gateway object.