ISP Redundancy on a Cluster

Important - ISP Redundancy is not supported if Dynamic Routing is configured (Known Limitation PMTR-68991).

Note - For information about ISP Redundancy on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., see the R81.20 Quantum Security Gateway Guide.

Introduction

ISP Redundancy connects ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members to the Internet through redundant Internet Service Provider (ISP) links.

ISP Redundancy monitors the ISP links and chooses the best current link.

Notes:

Important:

IP addresses in the table below are only examples.

Item

Description

1

Internal network

2

Switches

3

Cluster Member A

3a

Cluster interfaceClosed An interface on a Cluster Member, whose Network Type was set as Cluster in SmartConsole in cluster object. This interface is monitored by cluster, and failure on this interface will cause cluster failover. connected to the internal network (IP address 10.10.10.0/24)

  • Interface IP address 10.10.10.11
  • Virtual IP address 10.10.10.1

3b

Cluster interface (IP address 20.20.20.11) connected to the Sync network (IP address 20.20.20.0/24)

3c

Cluster interface connected to a switch that connects to ISP A

  • Interface IP address 30.30.30.11
  • Virtual IP address 30.30.30.1

3d

Cluster interface connected to a switch that connects to ISP B

  • Interface IP address 40.40.40.11
  • Virtual IP address 40.40.40.1

4

Cluster Member B

4a

Cluster interface connected to the internal network (IP address 10.10.10.0/24)

  • Interface IP address 10.10.10.22
  • Virtual IP address 10.10.10.1

4b

Cluster interface (IP address 20.20.20.22) connected to the Sync network (IP address 20.20.20.0/24)

4c

Cluster interface connected to a switch that connects to ISP B

  • Interface IP address 40.40.40.22
  • Virtual IP address 40.40.40.1

4d

Cluster interface connected to a switch that connects to ISP A

  • Interface IP address 30.30.30.22
  • Virtual IP address 30.30.30.1

5

ISP B

6

ISP A

7

Internet

ISP Redundancy Modes

ISP Redundancy configuration modes control the behavior of outgoing connections from internal clients to the Internet:

Mode

Description

Load Sharing

Uses all links to distribute the load of connections.

The incoming connections are alternated.

You can configure best relative loads for the links (set a faster link to handle more load).

New connections are randomly assigned to a link.

If one link fails, the other link takes the load.

In this mode, incoming connections can reach the application servers through any of ISP links because the Cluster can answer DNS requests for the IP address of internal servers with IP addresses from both ISPs by alternating their order.

Primary/Backup

Uses one link for connections.

It switches to the BackupClosed (1) In VRRP Cluster on Gaia OS - State of a Cluster Member that is ready to be promoted to Master state (if Master member fails). (2) In VSX Cluster configured in Virtual System Load Sharing mode with three or more Cluster Members - State of a Virtual System on a third (and so on) VSX Cluster Member. (3) A Cluster Member or Virtual System in this state does not process any traffic passing through cluster. link, if the Primary link fails.

When the Primary link is restored, new connections are assigned to it.

Existing connections continue on the Backup link until they are complete.

In this mode, incoming connections (from the Internet to application servers in the DMZ or internal networks) also benefit, because the Cluster returns packets using the same ISP Link, through which the connection was initiated.

Best Practice:

Outgoing Connections

Mode

Description

Load Sharing

Outgoing traffic that exits the Cluster on its way to the Internet is distributed between the ISP Links.

You can set a relative weight for how much you want each of the ISP Links to be used.

For example, if one link is faster, it can be configured to route more traffic across that ISP link than the other links.

Primary/Backup

Outgoing traffic uses an activeClosed State of a Cluster Member that is fully operational: (1) In ClusterXL, this applies to the state of the Security Gateway component (2) In 3rd-party / OPSEC cluster, this applies to the state of the cluster State Synchronization mechanism. primary link.

Hide NAT is used to change the source address of outgoing packets to the address of the interface, through which the packet leaves the Cluster.

This allows return packets to be automatically routed through the same ISP link, because their destination address is the address of the correct link.

Administrator configures the Hide NAT settings.

Incoming Connections

For external users to make incoming connections, the administrator must:

  1. Give each application server one routable IP address for each ISP.

  2. Configure Static NAT to translate the routable addresses to the real server address.

If the servers handle different services (for example, HTTP and FTP), you can use NAT to employ only routable IP addresses for all the publicly available servers.

External clients use one of the assigned IP addresses. In order to connect, the clients must be able to resolve the DNS name of the server to the correct IP address.