Configuring ISP Redundancy on a Security Gateway

1. Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected..

2. From the left navigation panel, click Gateways & Servers.

3. Open the applicable Security Gateway / Security Group object.

4. Click Other > ISP Redundancy.

5. Select Support ISP Redundancy.

6. Select the redundancy mode - Load Sharing or Primary/Backup.

7. Configure the ISP Links (at least two, at maximum ten).

   To configure more than two ISP links, the Management Server and the a Security Gateway / Scalable Platform Security Group must run the version R81.10 and higher.

   Procedure

   Make sure you have the ISP data - the speed of the link and next hop IP address.

   Automatic vs Manual configuration:

   • If the Security Gateway / Security Group object has at least two interfaces with the Topology "External" in the Network Management page, you can configure the ISP links automatically.

     Configuring ISP links automatically

     1. Click Other > ISP Redundancy.

     2. Click Set initial configuration.

        The ISP Links are added automatically.

     3. For Primary/Backup mode, make sure the Primary interface is first in the list. Use the arrows on the right to change the order.

     4. Click OK.

   • If the Security Gateway / Security Group object has only one interface with the Topology "External" in the Network Management page, you must configure the ISP links manually.

     Configuring ISP links manually

     1. Click Other > ISP Redundancy.

     2. In the IPS Links section, click Add.

        The ISP Link window opens.

     3. Click the General tab.

     4. In the Name field, enter a name of this link (desired text).

        The name you enter here is used in the ISP Redundancy commands (see Controlling ISP Redundancy from CLI).

     5. Select the Interface of the Security Gateway / Security Group for this ISP link.

        • If the Security Gateway / Security Group object has at least two interfaces with the Topology "External" in the Network Management page, set each ISP link to a different interface.

          If one of the ISP links is the connection to a backup ISP, configure the ISP Redundancy Script (see Controlling ISP Redundancy from CLI).

        • If the Security Gateway / Security Group object has only one interface with the Topology "External" in the Network Management page, set each ISP link to connect to this interface.

     6. Configure the Next Hop IP Address.

        • If the Security Gateway / Security Group object has at least two interfaces with the Topology "External" in the Network Management page, leave this field empty and click Get from routing table. The next hop is the default gateway.

        • If the Security Gateway / Security Group object has only one interface with the Topology "External" in the Network Management page, set each ISP link to a different next hop router.

     7. For ISP Redundancy in Load Sharing mode, enter the Weight value.

        For equal traffic distribution between the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). link, enter the applicable ratio in each ISP link (100% / Number of ISP Links):

        • For two ISP links, enter 50 in each

        • For three ISP links, enter 33 in each

        • For four ISP links, enter 25 in each

        • and so on

        If one ISP link is faster, increase this value and decrease it for the other ISP links, so that the sum of these values is always equal 100.

     8. Click the Advanced tab.

     9. Define hosts to be monitored, to make sure the link is working.

        Add the applicable objects to the Selected hosts section.

     10. Click OK.

8. Configure the Security Gateway / Security Group to be the DNS server.

   Procedure

   The Security Gateway / Security Group, or a DNS server behind it, must respond to DNS queries.

   It resolves IP addresses of servers in the DMZ (or another internal network).

   Get a public IP address from each ISP. If public IP addresses are not available, register the domain to make the DNS server accessible from the Internet.

   The Security Gateway / Security Group intercepts DNS queries "Type A" for the web servers in its domain that come from external hosts.

   • If the Security Gateway / Security Group recognizes the external host, it replies:

     • In ISP Redundancy Load Sharing mode, the Security Gateway / Security Group replies with IP addresses of all ISP links, alternating their order.

     • In ISP Redundancy Primary/Backup mode, the Security Gateway / Security Group replies with the IP addresses of the active ISP link.

   • If the Security Gateway / Security Group does not recognize the host, it passes the DNS query on to the original destination, or to the domain DNS server.

   To enable the DNS server:

   1. Click Other > ISP Redundancy.

   2. Select Enable DNS Proxy.

   3. Click Configure.

   4. Add your DMZ or Web servers.

      Configure each server with a public IP address from each ISP.

   5. In the DNS TTL, enter a number of seconds.

      This sets a Time To Live for each DNS reply.

      DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.

   6. Click OK.

   7. Configure Static NAT to translate the public IP addresses to the real server's IP address.

      External clients use one of the configured IP addresses.

      Note - If the servers use different services (for example, HTTP and FTP), you can use NAT for only the configured public IP addresses.

   8. Define an Access Control Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

      Name	Source	Destination	VPN	Services & Applications	Action	Track	Install On
      DNS Proxy	Applicable sources	Applicable DNS Servers	Any	domain_udp	Accept	None	Policy Targets

   To register the domain and get IP addresses:

   1. Register your domain with each ISP.

   2. Tell the ISP the configured IP addresses of the DNS server that respond to DNS queries for the domain.

   3. For each server in the DMZ, get a public IP address from each ISP.

   4. In SmartConsole, click Menu > Global properties.

   5. From the left tree, click NAT - Network Address Translation.

   6. In the Manual NAT rules section, select Translate destination on client side.

   7. Click OK.

9. Configure the Access Control Policy for ISP Redundancy.

   Procedure

   The Access Control Policy must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.

   1. In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.

   2. Select Hide behind the gateway.

   3. Click OK.

   4. Define rules for publicly reachable servers (Web servers, DNS servers, DMZ servers).

      • If you have one public IP address from each ISP for the Security Gateway / Security Group, define Static NAT.

        Allow specific services for specific servers.

        For example, configure NAT rules, so that incoming HTTP connections from your ISPs reach a Web server, and DNS connections from your ISPs reach the DNS server.

        Example: Manual Static Rules for a Web Server and a DNS Server

        Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On	Comment
        Any	Host object with IP address of Web Server	http	= Original	S 50.50.50.2	= Original	Policy Targets	Incoming Web - ISP A
        Any	Host object with IP address of Web Server	http	= Original	S 60.60.60.2	= Original	Policy Targets	Incoming Web - ISP B
        Any	Host object with IP address of DNS Server	domain_udp	= Original	S 50.50.50.3	= Original	Policy Targets	Incoming DNS - ISP A
        Any	Host object with IP address of DNS Server	domain_udp	= Original	S 60.60.60.3	= Original	Policy Targets	Incoming DNS - ISP B

      • If you have a public IP address from each ISP for each publicly reachable server (in addition to the Security Gateway / Security Group), configure the applicable NAT rules:

        1. Give each server a private IP address.

        2. Use the public IP addresses in the Original Destination.

        3. Use the private IP address in the Translated Destination.

        4. Select Any as the Original Service.

   Note - If you use Manual NAT, then automatic ARP does not work for the IP addresses behind NAT. You must configure the local.arp file as described in sk30197.

10. Install the Access Control Policy on this Security Gateway / Security Group object.