Configuring ISP Redundancy on a Cluster

1. Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this .

2. From the left navigation panel, click Gateways & Servers.

3. Open the applicable object.

4. Click Other > ISP Redundancy.

5. Select Support ISP Redundancy.

6. Select the redundancy mode:

   • Load Sharing - traffic is sent in a round-robin method over all configured ISP Links.

   • Primary/Backup - traffic is sent only over one ISP Link until it goes down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster. (the order of arranged ISP Links determines in which order to use them).

7. Configure the ISP Links (at least two, at maximum ten).

   To configure more than two ISP links, the Management Server and a must run the version R81.10 and higher.

   Procedure

   Make sure you have the ISP data - the speed of the link and next hop IP address.

   • If the object has at least two interfaces with the Topology "External" in the Network Management page, you can configure the ISP links automatically.

     Configuring ISP links automatically

     1. Click Other > ISP Redundancy.

     2. Click Set initial configuration.

        The ISP Links are added automatically.

     3. If you selected the Primary/Backup mode, make sure the Primary interface is first in the list.

        Use the arrows on the right to change the order.

     4. Click OK.

   • If the object has only one interface with the Topology "External" in the Network Management page, you must configure the ISP links manually.

     Note - We recommend to configure the Topology "External" for each interface the needs to use for ISP Redundancy.

     Configuring ISP links manually

     1. Click Other > ISP Redundancy.

     2. In the IPS Links section, click Add.

        The ISP Link window opens.

     3. Click the General tab.

     4. In the Name field, enter a name for this ISP link.

        The name you enter here is used in the ISP Redundancy commands (see ).

     5. In the Interface field, select the correct interface of the for this ISP link.

        If one of the ISP links is the connection to a backup (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. ISP, configure the ISP Redundancy Script (see ).

     6. In the Next Hop IP Address field:

        • If the object has at least two interfaces with the Topology "External" in the Network Management page, leave this field empty and click Get from routing table. The next hop is the default gateway.

        • If the object has only one interface with the Topology "External" in the Network Management page, enter the corrent IP address of the next hop.

     7. If earlier you selected the Load Sharing mode, then in the Weight field, enter the applicable value.

        For equal traffic distribution between the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). links, enter the applicable ratio in each ISP link (100% / Number of ISP Links):

        • For two ISP links, enter 50 in each.

        • For three ISP links, enter 33 in each.

        • For four ISP links, enter 25 in each.

        • and so on.

        If one ISP link is faster, increase this value and decrease it for the other ISP links, so that the sum of these values is always equal 100.

     8. Optional: Click the Advanced tab and configure hosts to be monitored, to make sure the link is working.

        Add the applicable host objects in the Selected hosts section.

     9. Click OK.

8. Configure the to be the DNS server.

   Procedure

   The , or a DNS server behind it, must respond to DNS queries.

   It resolves IP addresses of servers in the DMZ (or another internal network).

   Get a public IP address from each ISP. If public IP addresses are not available, register the domain to make the DNS server accessible from the Internet.

   The intercepts DNS queries "Type A" for the web servers in its domain that come from external hosts.

   • If the recognizes the external host, it replies:

     • In ISP Redundancy Load Sharing mode, the replies with IP addresses of all ISP links, alternating their order.

     • In ISP Redundancy Primary/Backup mode, the replies with the IP addresses of the active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. ISP link.

   • If the does not recognize the host, it passes the DNS query on to the original destination, or to the domain DNS server.

   To enable the DNS server:

   1. Click Other > ISP Redundancy.

   2. Select Enable DNS Proxy.

   3. Click Configure.

   4. Add your DMZ or Web servers.

      Configure each server with a public IP address from each ISP.

   5. In the DNS TTL, enter a number of seconds.

      This sets a Time To Live for each DNS reply.

      DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.

   6. Click OK.

   7. Configure Static NAT to translate the public IP addresses to the real server's IP address.

      External clients use one of the configured IP addresses.

      Note - If the servers use different services (for example, HTTP and FTP), you can use NAT for only the configured public IP addresses.

   8. Define an Access Control Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

      Name	Source	Destination	VPN	Services & Applications	Action	Track	Install On
      DNS Proxy	Applicable sources	Applicable DNS Servers	Any	domain_udp	Accept	None	Policy Targets

   To register the domain and get IP addresses:

   1. Register your domain with each ISP.

   2. Tell the ISP the configured IP addresses of the DNS server that respond to DNS queries for the domain.

   3. For each server in the DMZ, get a public IP address from each ISP.

   4. In SmartConsole, click Menu > Global properties.

   5. From the left tree, click NAT - Network Address Translation.

   6. In the Manual NAT rules section, select Translate destination on client side.

   7. Click OK.

9. Configure the Access Control Policy for ISP Redundancy.

   Procedure

   The Access Control Policy must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.

   1. In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.

   2. Select Hide behind the gateway.

   3. Click OK.

   4. Define rules for publicly reachable servers (Web servers, DNS servers, DMZ servers).

      • If you have one public IP address from each ISP for the , define Static NAT.

        Allow specific services for specific servers.

        For example, configure NAT rules, so that incoming HTTP connections from your ISPs reach a Web server, and DNS connections from your ISPs reach the DNS server.

        Example: Manual Static Rules for a Web Server and a DNS Server

        Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On	Comment
        Any	Host object with IP address of Web Server	http	= Original	S 50.50.50.2	= Original	Policy Targets	Incoming Web - ISP A
        Any	Host object with IP address of Web Server	http	= Original	S 60.60.60.2	= Original	Policy Targets	Incoming Web - ISP B
        Any	Host object with IP address of DNS Server	domain_udp	= Original	S 50.50.50.3	= Original	Policy Targets	Incoming DNS - ISP A
        Any	Host object with IP address of DNS Server	domain_udp	= Original	S 60.60.60.3	= Original	Policy Targets	Incoming DNS - ISP B

      • If you have a public IP address from each ISP for each publicly reachable server (in addition to the ), configure the applicable NAT rules:

        1. Give each server a private IP address.

        2. Use the public IP addresses in the Original Destination.

        3. Use the private IP address in the Translated Destination.

        4. Select Any as the Original Service.

   Note - If you use Manual NAT, then automatic ARP does not work for the IP addresses behind NAT. You must configure the local.arp file as described in sk30197.

10. Install the Access Control Policy on this object.