ISP Redundancy on a Security Gateway / Security Group

Important - ISP Redundancy is not supported if Dynamic Routing is configured (Known Limitation PMTR-68991).

Note - For information about ISP Redundancy on a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., see the R81.10 ClusterXL Administration Guide > Chapter Advanced Features and Procedures > Section ISP Redundancy on a Cluster.

Introduction

ISP Redundancy connects a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to the Internet through redundant Internet Service Provider (ISP) links.

ISP Redundancy monitors the ISP links and chooses the best current link.

Notes:

Item

Description

1

Internal network

2

Security Gateway or Scalable Platform Security Group

3

ISP

4

Internet

Best Practice - We recommend this deployment, because it is simpler than deployment with one dedicated physical interface.

Item

Description

1

Internal network

2

Security Gateway or Scalable Platform Security Group

3

ISP A

4

ISP B

5

Internet

If only one external interface is available on the Security Gateway / Scalable Platform Security Group, you can configure two subnets on the same external interface.

(See the R81.10 Gaia Administration Guide > Chapter Network Management > Section Network Interfaces > Section Aliases.)

The two ISP links are then connected to the same Security Gateway / Scalable Platform Security Group interface, but to different next hop routers, usually through a switch.

Item

Description

1

Internal network

2

Security Gateway or Scalable Platform Security Group

3

Switch

4

ISP A

5

ISP B

6

Internet

ISP Redundancy Modes

ISP Redundancy configuration modes control the behavior of outgoing connections from internal clients to the Internet:

Mode

Description

Load Sharing

Uses all links to distribute the load of connections.

The incoming connections are alternated.

You can configure best relative loads for the links (set a faster link to handle more load).

New connections are randomly assigned to a link.

If one link fails, the other link takes the load.

In this mode, incoming connections can reach the application servers through any of ISP links because the Security Gateway / Scalable Platform Security Group can answer DNS requests for the IP address of internal servers with IP addresses from both ISPs by alternating their order.

Primary/Backup

Uses one link for connections.

It switches to the Backup link, if the Primary link fails.

When the Primary link is restored, new connections are assigned to it.

Existing connections continue on the Backup link until they are complete.

In this mode, incoming connections (from the Internet to application servers in the DMZ or internal networks) also benefit, because the Security Gateway / Scalable Platform Security Group returns packets using the same ISP Link, through which the connection was initiated.

Best Practice:

  • If all ISP links are basically the same, use the Load Sharing mode to ensure that you are making the best use of all ISP links.

  • You may prefer to use one of your ISP links that is more cost-effective in terms of price and reliability.

    In that case, use the Primary/Backup mode and set the more cost-effective ISP as the Primary ISP link.

Outgoing Connections

Mode

Description

Load Sharing

Outgoing traffic that exits the Security Gateway / Scalable Platform Security Group on its way to the Internet is distributed between the ISP Links.

You can set a relative weight for how much you want each of the ISP Links to be used.

For example, if one link is faster, it can be configured to route more traffic across that ISP link than the other links.

Primary/Backup

Outgoing traffic uses an active primary link.

Hide NAT is used to change the source address of outgoing packets to the address of the interface, through which the packet leaves the Security Gateway / Scalable Platform Security Group.

This allows return packets to be automatically routed through the same ISP link, because their destination address is the address of the correct link.

Administrator configures the Hide NAT settings.

Incoming Connections

For external users to make incoming connections, the administrator must:

  1. Give each application server one routable IP address for each ISP.

  2. Configure Static NAT to translate the routable addresses to the real server address.

If the servers handle different services (for example, HTTP and FTP), you can use NAT to employ only routable IP addresses for all the publicly available servers.

External clients use one of the assigned IP addresses. In order to connect, the clients must be able to resolve the DNS name of the server to the correct IP address.

Note - The example below is for two ISP links. The subnets 172.16.0.0/24 and 192.168.0.0/24 represent public routable IP addresses.

The Web server www.example.com is assigned an IP address from each ISP:

  • 192.168.1.2 from ISP A

  • 172.16.2.2 from ISP B

If the ISP Link A is down, then IP address 192.168.1.2 becomes unavailable, and the clients must be able to resolve the URL www.example.com to the IP address 172.16.2.2.

An incoming connection is established, based on this example, in the following sequence:

  1. When an external client on the Internet contacts www.example.com, the client sends a DNS query for the IP address of this URL.

    The DNS query reaches the Security Gateway / Scalable Platform Security Group.

    The Security Gateway / Security Group has a built-in mini-DNS server that can be configured to intercept DNS queries (of Type A) for servers in its domain.

  2. A DNS query arriving at an interface that belongs to one of the ISP links, is intercepted by the Security Gateway / Security Group.

  3. If the Security Gateway / Security Group recognizes the name of the host, it sends one of the following replies:

    • In ISP Redundancy Primary/Backup mode, the Security Gateway / Security Group replies only with the IP addresses associated with the Primary ISP link, as long as the Primary ISP link is active.

    • In ISP Redundancy Load Sharing mode, the Security Gateway / Security Group replies with two IP addresses, alternating their order.

  4. If the Security Gateway / Security Group is unable to handle DNS requests (for example, it may not recognize the host name), it passes the DNS query to its original destination or the DNS server of the domain example.com.

  5. When the external client receives the reply to its DNS query, it opens a connection. Once the packets reach the Security Gateway / Security Group, the Security Gateway / Security Group uses Static NAT to translate the destination IP address 192.168.1.2 or 172.16.2.2 to the real server IP address 10.0.0.2.

  6. The Security Gateway / Security Group routes the reply packets from the server to the client through the same ISP link that was used to initiate the connection.