ISP Redundancy on a Security Gateway / Security Group

Important - ISP Redundancy is not supported if Dynamic Routing is configured (Known Limitation PMTR-68991).

Note - For information about ISP Redundancy on a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., see the R81.10 ClusterXL Administration Guide > Chapter Advanced Features and Procedures > Section ISP Redundancy on a Cluster.


ISP Redundancy connects a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to the Internet through redundant Internet Service Provider (ISP) links.

ISP Redundancy monitors the ISP links and chooses the best current link.


ISP Redundancy Modes

ISP Redundancy configuration modes control the behavior of outgoing connections from internal clients to the Internet:



Load Sharing

Uses all links to distribute the load of connections.

The incoming connections are alternated.

You can configure best relative loads for the links (set a faster link to handle more load).

New connections are randomly assigned to a link.

If one link fails, the other link takes the load.

In this mode, incoming connections can reach the application servers through any of ISP links because the Security Gateway / Scalable Platform Security Group can answer DNS requests for the IP address of internal servers with IP addresses from both ISPs by alternating their order.


Uses one link for connections.

It switches to the Backup link, if the Primary link fails.

When the Primary link is restored, new connections are assigned to it.

Existing connections continue on the Backup link until they are complete.

In this mode, incoming connections (from the Internet to application servers in the DMZ or internal networks) also benefit, because the Security Gateway / Scalable Platform Security Group returns packets using the same ISP Link, through which the connection was initiated.

Best Practice:

  • If all ISP links are basically the same, use the Load Sharing mode to ensure that you are making the best use of all ISP links.

  • You may prefer to use one of your ISP links that is more cost-effective in terms of price and reliability.

    In that case, use the Primary/Backup mode and set the more cost-effective ISP as the Primary ISP link.

Outgoing Connections



Load Sharing

Outgoing traffic that exits the Security Gateway / Scalable Platform Security Group on its way to the Internet is distributed between the ISP Links.

You can set a relative weight for how much you want each of the ISP Links to be used.

For example, if one link is faster, it can be configured to route more traffic across that ISP link than the other links.


Outgoing traffic uses an active primary link.

Hide NAT is used to change the source address of outgoing packets to the address of the interface, through which the packet leaves the Security Gateway / Scalable Platform Security Group.

This allows return packets to be automatically routed through the same ISP link, because their destination address is the address of the correct link.

Administrator configures the Hide NAT settings.

Incoming Connections

For external users to make incoming connections, the administrator must:

  1. Give each application server one routable IP address for each ISP.

  2. Configure Static NAT to translate the routable addresses to the real server address.

If the servers handle different services (for example, HTTP and FTP), you can use NAT to employ only routable IP addresses for all the publicly available servers.

External clients use one of the assigned IP addresses. In order to connect, the clients must be able to resolve the DNS name of the server to the correct IP address.