ISP Redundancy on a Cluster

Important - ISP Redundancy is not supported if Dynamic Routing is configured (Known Limitation PMTR-68991).

Note - For information about ISP Redundancy on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., see the R81.20 Quantum Security Gateway Guide.

Introduction

ISP Redundancy connects Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members to the Internet through redundant Internet Service Provider (ISP) links.

ISP Redundancy monitors the ISP links and chooses the best current link.

Notes:

ISP Redundancy requires a minimum of two external interfaces and supports up to a maximum of ten.

To configure more than two ISP links, the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. and the Cluster must run the version R81.10 and higher.
ISP Redundancy is intended to traffic that originates on your internal networks and goes to the Internet.

Important:

You must connect each Cluster Member Security Gateway that is part of a cluster. with a dedicated physical interface to each of the ISPs.
The IP addresses assigned to physical interfaces on each Cluster Member must be on the same subnet as the Cluster Virtual IP address.

IP addresses in the table below are only examples.

Item	Description
1	Internal network
2	Switches
3	Cluster Member A
3a	Cluster interface An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. connected to the internal network (IP address 10.10.10.0/24) Interface IP address 10.10.10.11 Virtual IP address 10.10.10.1
3b	Cluster interface (IP address 20.20.20.11) connected to the Sync network (IP address 20.20.20.0/24)
3c	Cluster interface connected to a switch that connects to ISP A Interface IP address 30.30.30.11 Virtual IP address 30.30.30.1
3d	Cluster interface connected to a switch that connects to ISP B Interface IP address 40.40.40.11 Virtual IP address 40.40.40.1
4	Cluster Member B
4a	Cluster interface connected to the internal network (IP address 10.10.10.0/24) Interface IP address 10.10.10.22 Virtual IP address 10.10.10.1
4b	Cluster interface (IP address 20.20.20.22) connected to the Sync network (IP address 20.20.20.0/24)
4c	Cluster interface connected to a switch that connects to ISP B Interface IP address 40.40.40.22 Virtual IP address 40.40.40.1
4d	Cluster interface connected to a switch that connects to ISP A Interface IP address 30.30.30.22 Virtual IP address 30.30.30.1
5	ISP B
6	ISP A
7	Internet

ISP Redundancy Modes

ISP Redundancy configuration modes control the behavior of outgoing connections from internal clients to the Internet:

Mode	Description
Load Sharing	Uses all links to distribute the load of connections. The incoming connections are alternated. You can configure best relative loads for the links (set a faster link to handle more load). New connections are randomly assigned to a link. If one link fails, the other link takes the load. In this mode, incoming connections can reach the application servers through any of ISP links because the Cluster can answer DNS requests for the IP address of internal servers with IP addresses from both ISPs by alternating their order.
Primary/Backup	Uses one link for connections. It switches to the Backup (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. link, if the Primary link fails. When the Primary link is restored, new connections are assigned to it. Existing connections continue on the Backup link until they are complete. In this mode, incoming connections (from the Internet to application servers in the DMZ or internal networks) also benefit, because the Cluster returns packets using the same ISP Link, through which the connection was initiated.

Mode

Description

Load Sharing

Uses all links to distribute the load of connections.

The incoming connections are alternated.

You can configure best relative loads for the links (set a faster link to handle more load).

New connections are randomly assigned to a link.

If one link fails, the other link takes the load.

In this mode, incoming connections can reach the application servers through any of ISP links because the Cluster can answer DNS requests for the IP address of internal servers with IP addresses from both ISPs by alternating their order.

Primary/Backup

Uses one link for connections.

It switches to the Backup (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. link, if the Primary link fails.

When the Primary link is restored, new connections are assigned to it.

Existing connections continue on the Backup link until they are complete.

In this mode, incoming connections (from the Internet to application servers in the DMZ or internal networks) also benefit, because the Cluster returns packets using the same ISP Link, through which the connection was initiated.

Best Practice:

If all ISP links are basically the same, use the Load Sharing A redundant cluster mode, where all Cluster Members process all incoming traffic in parallel. For more information, see "Load Sharing Multicast Mode" and "Load Sharing Unicast Mode". Synonyms: Active/Active, Load Balancing mode. Acronym: LS. mode to ensure that you are making the best use of all ISP links.
You may prefer to use one of your ISP links that is more cost-effective in terms of price and reliability.

In that case, use the Primary/Backup mode and set the more cost-effective ISP as the Primary ISP link.

Outgoing Connections

Mode	Description
Load Sharing	Outgoing traffic that exits the Cluster on its way to the Internet is distributed between the ISP Links. You can set a relative weight for how much you want each of the ISP Links to be used. For example, if one link is faster, it can be configured to route more traffic across that ISP link than the other links.
Primary/Backup	Outgoing traffic uses an active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. primary link. Hide NAT is used to change the source address of outgoing packets to the address of the interface, through which the packet leaves the Cluster. This allows return packets to be automatically routed through the same ISP link, because their destination address is the address of the correct link. Administrator configures the Hide NAT settings.

Mode

Description

Load Sharing

Outgoing traffic that exits the Cluster on its way to the Internet is distributed between the ISP Links.

You can set a relative weight for how much you want each of the ISP Links to be used.

For example, if one link is faster, it can be configured to route more traffic across that ISP link than the other links.

Primary/Backup

Outgoing traffic uses an active State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. primary link.

Hide NAT is used to change the source address of outgoing packets to the address of the interface, through which the packet leaves the Cluster.

This allows return packets to be automatically routed through the same ISP link, because their destination address is the address of the correct link.

Administrator configures the Hide NAT settings.

Incoming Connections

For external users to make incoming connections, the administrator must:

Give each application server one routable IP address for each ISP.
Configure Static NAT to translate the routable addresses to the real server address.

If the servers handle different services (for example, HTTP and FTP), you can use NAT to employ only routable IP addresses for all the publicly available servers.

External clients use one of the assigned IP addresses. In order to connect, the clients must be able to resolve the DNS name of the server to the correct IP address.

Example

Note - The example below is for two ISP links. The subnets 172.16.0.0/24 and 192.168.0.0/24 represent public routable IP addresses.

The Web server www.example.com is assigned an IP address from each ISP:

192.168.1.2 from ISP A
172.16.2.2 from ISP B

If the ISP Link A is down State of a Cluster Member during a failure when one of the Critical Devices reports its state as "problem": In ClusterXL, applies to the state of the Security Gateway component; in 3rd-party / OPSEC cluster, applies to the state of the State Synchronization mechanism. A Cluster Member in this state does not process any traffic passing through cluster., then IP address 192.168.1.2 becomes unavailable, and the clients must be able to resolve the URL www.example.com to the IP address 172.16.2.2.

An incoming connection is established, based on this example, in the following sequence:

When an external client on the Internet contacts www.example.com, the client sends a DNS query for the IP address of this URL.

The DNS query reaches the Cluster.

The Cluster has a built-in mini-DNS server that can be configured to intercept DNS queries (of Type A) for servers in its domain.
A DNS query arriving at an interface that belongs to one of the ISP links, is intercepted by the Cluster.
If the Cluster recognizes the name of the host, it sends one of the following replies:
- In ISP Redundancy Primary/Backup mode, the Cluster replies only with the IP addresses associated with the Primary ISP link, as long as the Primary ISP link is active.
- In ISP Redundancy Load Sharing mode, the Cluster replies with two IP addresses, alternating their order.
If the Cluster is unable to handle DNS requests (for example, it may not recognize the host name), it passes the DNS query to its original destination or the DNS server of the domain example.com.
When the external client receives the reply to its DNS query, it opens a connection. Once the packets reach the Cluster, the Cluster uses Static NAT to translate the destination IP address 192.168.1.2 or 172.16.2.2 to the real server IP address 10.0.0.2.
The Cluster routes the reply packets from the server to the client through the same ISP link that was used to initiate the connection.