Configuring ISP Redundancy on a Cluster

Make Internet connectivity more reliable with ISP Redundancy. This connects a Security Gateway or Cluster Member to the Internet through redundant Internet Service Provider (ISP) links. ISP Redundancy monitors the ISP links and chooses the best current link.

R80.20 supports two ISPs.

If you have a ClusterXL Cluster, connect each Cluster Member to the two ISPs through a LAN with two interfaces. The member interfaces must be on the same subnet as the cluster external interfaces. Configure ClusterXL in the usual way.

• ISP A link address - 192.168.1.100
• ISP B link address - 172.16.2.100

  Item	Description
  1	Internal network
  2	VLAN switches
  3	Security Gateway - Cluster Member A
  3a	Virtual interface to the internal network (10.10.0.1)
  3b	Interface to the Cluster Sync network (10.0.10.1)
  3c	Virtual interface to ISP B (172.16.2.2)
  3d	Virtual interface to VLAN switch that connects to ISP A (192.168.1.3)
  4	Security Gateway - Cluster Member B
  4a	Virtual interface to the internal network (10.10.0.2)
  4b	Interface to the Cluster Sync network (10.0.10.2)
  4c	Virtual interface to ISP A (192.168.1.2)
  4d	Virtual interface to VLAN switch that connects to ISP B (172.16.2.3)
  5	Router that connects to ISP A (192.168.1.1)
  6	Router that connects to ISP B (172.16.2.1)
  7	Internet

You can configure the ISP preference to be for Load Sharing or Primary/Backup.

Load Sharing - Uses the two links with a distributed load of connections going out from the Security Gateway. Connections coming in are alternated. You can configure best relative loads for the links (set a faster link to handle more load). New connections are randomly assigned to a link. If one link fails, the other takes the load.

Primary/Backup - Uses one link for connections going out from the Security Gateway and coming in. It switches to the backup if the primary link fails. When the primary link is restored, new connections are assigned to it. Existing connections continue on the backup link until they are complete.

Note: ISP Redundancy settings override VPN Link Selection settings.

To enable ISP Redundancy:

1. Open the network object properties of the Security Gateway or cluster.
2. Click Other > ISP Redundancy.
3. Select Support ISP Redundancy.
4. Select Load Sharing or Primary/Backup.
5. Configure the links.
6. Configure the Security Gateway to be the DNS server.
7. Configure the policy for ISP Redundancy.

Configuring the ISP Links

Before you begin, make sure you have the ISP data - the speed of the link and next hop IP address. If the Security Gateway has only one external interface, configure two subnets on this interface. You will need routers and a switch.

If the Security Gateway has two external interfaces in the Network Management page of the gateway object, you can configure the links automatically.

If the gateway is a ClusterXL Cluster Member, configure the two Cluster Members to the two ISP. Use a LAN with two interfaces. Make sure the member interfaces are on the same subnet as the cluster external interfaces.

To configure ISP links automatically:

1. In the Security Gateway object go to the Other > ISP Redundancy page.
2. Click Set initial configuration.

   The ISP Links are added automatically.

3. For Primary/Backup, make sure the primary interface is first in the list. Use the arrows to change the order.

To configure ISP links manually:

1. In the Security Gateway object go to the Other > ISP Redundancy page.
2. Click Add.
3. In the ISP Link window, give the link a Name.

   Note the names you give here. They are used in the ISP Redundancy script and commands.

4. Select the Interface of the Security Gateway for this ISP link.
   • If the Security Gateway has two external interfaces, set each link to a different interface. If one of the ISP links is dialup connection to a backup ISP, configure the ISP Redundancy Script.
   • If the Security Gateway has only one external interface, set each ISP link to connect to this interface.
5. Configure the Next hop IP Address.
   • If the Security Gateway has two external interfaces, leave this field empty and click Get from routing table. The next hop is the default gateway.
   • If the Security Gateway has one external interface, set each ISP link to a different next hop router.
6. For Load Sharing, enter the Weight. For equal weight distribution, enter 50. If one link is faster, raise this value and lower it for the other link, so that the two equal 100.
7. Define hosts to be monitored, to make sure the link is working. Open the Advanced tab of the ISP Link window, and add Selected hosts.

Configuring Security Gateway as DNS

The Security Gateway, or a DNS server behind it, must respond to DNS queries. It resolves IP addresses of servers in the DMZ (or another internal network).

Get a public IP address from each ISP. If public IP addresses are not available, register the domain to make the DNS server accessible from the Internet.

To enable DNS on the Security Gateway or cluster:

1. In SmartConsole, open the Security Gateway or cluster object
2. Go to Other > ISP Redundancy page and select Enable DNS Proxy.

   The Security Gateway or cluster intercepts Type A DNS queries for the web servers in its domain that come from external hosts. If the Security Gateway or cluster recognizes the external host, it replies:

   • In ISP Redundancy Load Sharing mode, the Security Gateway or cluster replies with two addresses, alternating their order.
   • In ISP Redundancy Primary/Backup mode, the Security Gateway or cluster replies with the addresses of the active ISP link.

   If the Security Gateway or cluster does not recognize the host, it passes the DNS query on to the original destination, or to the domain DNS server.

3. Click Configure.
4. Add your DMZ or web servers. Give each two public IP addresses, one for each ISP.
5. Enter a number of seconds in DNS TTL.

   This sets a Time To Live for each DNS reply. DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.

6. Configure Static NAT to translate the public IP addresses to the real server's IP address. External clients use one of the two IP addresses.

   Note - If the servers use different services (for example, HTTP and FTP), you can use NAT for only two public IP addresses.

7. Define an Access Control Policy rule: allow DNS traffic through the Security Gateway or cluster using the domain_udp service.

To register the domain and get IP addresses:

1. Register your domain with the two ISP.
2. Tell the ISP the two IP addresses of the DNS server that respond to DNS queries for the domain.
3. For each server in the DMZ, get two public IP addresses, one from each ISP.
4. In SmartConsole, click Menu > Global properties.
5. Go to NAT - Network Address Translation pane.
6. In the Manual NAT rules section, select Translate destination on client side.
7. Click OK.
8. Install the Access Control Policy on this cluster object.

Configuring the Firewall

The Firewall must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.

To configure the firewall for ISP Redundancy:

1. In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.
2. Select Hide behind the gateway.
3. Click OK.
4. Define rules for publicly reachable servers (web servers, DNS servers, DMZ servers).

   If you have one public IP address from each ISP for the Security Gateway, define Static NAT. Allow specific services for specific servers. For example, make NAT rules so that incoming HTTP connections from the two ISP reach a Web server, and DNS traffic from the ISP reach the DNS server.

Example: Manual Static Rules for a Web Server and a DNS Server

Original Source	Original Destination	Original Service	Original Source	Translated Destination	Translated Services	Comment
Any	IP of web server	http	=	10.0.0.2 (Static)	=	Incoming Web - ISP A
Any	IP of web server	http	=	10.0.0.2 (Static)	=	Incoming Web - ISP B
Any	IP of DNS server	domain_udp	=	10.0.0.3 (Static)	=	Incoming DNS - ISP A
Any	IP of DNS server	domain_udp	=	10.0.0.3 (Static)	=	Incoming DNS - ISP B

If you have a public IP address from each ISP for each publicly reachable server (in addition to the Security Gateway), define NAT rules:

1. Give each server a private IP address.
2. Use the public IP addresses in the Original Destination.
3. Use the private IP address in the Translated Destination.
4. Select Any as the Original Service.

Note - If using Manual NAT, automatic ARP does not work for the NATed IP addresses. You need to configure the local.arp file as described in sk30197.

When done, install the Access Control Policy on this cluster object.

Configuring with VPN

When ISP Redundancy is enabled, VPN encrypted connections survive a failure of an ISP link. The settings in the ISP Redundancy page override settings in the IPsec VPN > Link Selection page.

To configure ISP Redundancy with VPN on cluster:

1. In SmartConsole, open the cluster object.
2. In the left navigation tree, go to Other > ISP Redundancy.
3. Select Apply settings to VPN traffic.
4. In the left navigation tree, go to IPsec VPN > Link Selection.
5. Make sure that Use ongoing probing. Link redundancy mode shows the mode of the ISP Redundancy: High Availability (for Primary/Backup) or Load Sharing.

   VPN Link Selection now only probes the ISP configured in ISP Redundancy.

To configure for VPN with a third-party peer:

If the VPN peer is not a Check Point Security Gateway, the VPN may fail, or the third-party device may continue to encrypt traffic to a failed ISP link.

• Make sure the third-party VPN peer recognizes encrypted traffic from the secondary ISP link as coming from the Check Point cluster.
• Change the configuration of ISP Redundancy to not use these Check Point technologies:
  • Use Probing - Make sure that Link Selection uses another option.
  • Load Sharing, Service Based Link Selection, Route based probing - Work only on Check Point Security Gateways. If used, the Security Gateway uses one link to connect to the third-party VPN peer. The link with the highest prefix length and lowest metric is used.

Force ISP Link State

Use the fw isp_link command to force the ISP link state to Up or Down. Use this to test installation and deployment, or to force the Security Gateway to recognize the true link state if it cannot (the ISP link is down but the gateway sees it as up).

You can run this command on the Security Gateway or the Security Management Server: fw isp_link [target-gw] <link_name> {up|down}

<link_name> is the name in the ISP Link window.

Editing the ISP Redundancy Script

When the Security Gateway starts, or an ISP link state changes, the $FWDIR/bin/cpisp_update script runs. It changes the default route of the Security Gateway. For example, you can force the Security Gateway to change the state of a dialup interface to match that state of its ISP link.

Edit this script to enable a dialup connection for one of the ISP links.

To configure a dialup connection:

1. In the script on the Security Gateway, enter the command to change the dialup interface state:
   • If the ISP link goes down: fw isp_link <link_name> down
   • If the ISP link goes up: fw isp_link <link_name> up
2. If you use PPPoE or PPTP xDSL modems, in the PPPoE or PPTP configuration, the Use Peer as Default Gateway option must not be selected.