Configuring ISP Redundancy on a Security Gateway

Important:

ISP Redundancy requires a minimum of two interfaces.
If you configure a Cloning Group and ISP Redundancy on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected., then you must enable the Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. feature "Kernel Routes". See the R81.20 Gaia Advanced Routing Administration Guide.

Connect with SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. that manages this Security Gateway / Scalable Platform Security Group.
From the left navigation panel, click Gateways & Servers.
Open the applicable Security Gateway / Security Group object.
Click Other > ISP Redundancy.
Select Support ISP Redundancy.
Select the redundancy mode:
- Load Sharing - traffic is sent in a round-robin method over all configured ISP Links.
- Primary/Backup - traffic is sent only over one ISP Link until it goes down (the order of arranged ISP Links determines in which order to use them).

Configure the ISP Links (at least two, at maximum ten).

To configure more than two ISP links, the Management Server and a Security Gateway / Scalable Platform Security Group must run the version R81.10 and higher.

Procedure

Make sure you have the ISP data - the speed of the link and next hop IP address.

If the Security Gateway / Security Group object has at least two interfaces with the Topology "External" in the Network Management page, you can configure the ISP links automatically.
Configuring ISP links automatically
1. Click Other > ISP Redundancy.
2. Click Set initial configuration.
  
  The ISP Links are added automatically.
3. If you selected the Primary/Backup mode, make sure the Primary interface is first in the list.
  
  Use the arrows on the right to change the order.
4. Click OK.

If the Security Gateway / Security Group object has only one interface with the Topology "External" in the Network Management page, you must configure the ISP links manually.

Note - We recommend to configure the Topology "External" for each interface the Security Gateway / Scalable Platform Security Group needs to use for ISP Redundancy.

Configuring ISP links manually

Click Other > ISP Redundancy.
In the IPS Links section, click Add.

The ISP Link window opens.
Click the General tab.
In the Name field, enter a name for this ISP link.

The name you enter here is used in the ISP Redundancy commands (see Controlling ISP Redundancy from CLI).
In the Interface field, select the correct interface of the Security Gateway / Security Group for this ISP link.

If one of the ISP links is the connection to a backup ISP, configure the ISP Redundancy Script (see Controlling ISP Redundancy from CLI).
In the Next Hop IP Address field:
- If the Security Gateway / Security Group object has at least two interfaces with the Topology "External" in the Network Management page, leave this field empty and click Get from routing table. The next hop is the default gateway.
- If the Security Gateway / Security Group object has only one interface with the Topology "External" in the Network Management page, enter the corrent IP address of the next hop.
If earlier you selected the Load Sharing mode, then in the Weight field, enter the applicable value.

For equal traffic distribution between the IPS Check Point Software Blade on a Security Gateway that inspects and analyzes packets and data for numerous types of risks (Intrusion Prevention System). links, enter the applicable ratio in each ISP link (100% / Number of ISP Links):
- For two ISP links, enter 50 in each.
- For three ISP links, enter 33 in each.
- For four ISP links, enter 25 in each.
- and so on.
If one ISP link is faster, increase this value and decrease it for the other ISP links, so that the sum of these values is always equal 100.
Optional: Click the Advanced tab and configure hosts to be monitored, to make sure the link is working.

Add the applicable host objects in the Selected hosts section.
Click OK.

Configure the Security Gateway / Security Group to be the DNS server.

Procedure

The Security Gateway / Security Group, or a DNS server behind it, must respond to DNS queries.

It resolves IP addresses of servers in the DMZ (or another internal network).

Get a public IP address from each ISP. If public IP addresses are not available, register the domain to make the DNS server accessible from the Internet.

The Security Gateway / Security Group intercepts DNS queries "Type A" for the web servers in its domain that come from external hosts.

If the Security Gateway / Security Group recognizes the external host, it replies:
- In ISP Redundancy Load Sharing mode, the Security Gateway / Security Group replies with IP addresses of all ISP links, alternating their order.
- In ISP Redundancy Primary/Backup mode, the Security Gateway / Security Group replies with the IP addresses of the active ISP link.
If the Security Gateway / Security Group does not recognize the host, it passes the DNS query on to the original destination, or to the domain DNS server.

To enable the DNS server:

Click Other > ISP Redundancy.
Select Enable DNS Proxy.
Click Configure.
Add your DMZ or Web servers.

Configure each server with a public IP address from each ISP.
In the DNS TTL, enter a number of seconds.

This sets a Time To Live for each DNS reply.

DNS servers in the Internet cannot cache your DNS data in the reply for longer than the TTL.
Click OK.

Configure Static NAT to translate the public IP addresses to the real server's IP address.

External clients use one of the configured IP addresses.

Note - If the servers use different services (for example, HTTP and FTP), you can use NAT for only the configured public IP addresses.

Define an Access Control Policy rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:

Name	Source	Destination	VPN	Services & Applications	Action	Track	Install On
DNS Proxy	Applicable sources	Applicable DNS Servers	`Any`	`domain_udp`	`Accept`	`None`	`Policy Targets`

To register the domain and get IP addresses:

Register your domain with each ISP.
Tell the ISP the configured IP addresses of the DNS server that respond to DNS queries for the domain.
For each server in the DMZ, get a public IP address from each ISP.
In SmartConsole, click Menu > Global properties.
From the left tree, click NAT - Network Address Translation.
In the Manual NAT rules section, select Translate destination on client side.
Click OK.

Configure the Access Control Policy for ISP Redundancy.

Procedure

The Access Control Policy must allow connections through the ISP links, with Automatic Hide NAT on network objects that start outgoing connections.

In the properties of the object for an internal network, select NAT > Add Automatic Address Translation Rules.
Select Hide behind the gateway.
Click OK.

Define rules for publicly reachable servers (Web servers, DNS servers, DMZ servers).

If you have one public IP address from each ISP for the Security Gateway / Security Group, define Static NAT.

Allow specific services for specific servers.

For example, configure NAT rules, so that incoming HTTP connections from your ISPs reach a Web server, and DNS connections from your ISPs reach the DNS server.

Example: Manual Static Rules for a Web Server and a DNS Server

Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services	Install On	Comment
`Any`	Host object with IP address of Web Server	`http`	`= Original`	_S 50.50.50.2	`= Original`	`Policy Targets`	Incoming Web - ISP A
`Any`	Host object with IP address of Web Server	`http`	`= Original`	_S 60.60.60.2	`= Original`	`Policy Targets`	Incoming Web - ISP B
`Any`	Host object with IP address of DNS Server	`domain_udp`	`= Original`	_S 50.50.50.3	`= Original`	`Policy Targets`	Incoming DNS - ISP A
`Any`	Host object with IP address of DNS Server	`domain_udp`	`= Original`	_S 60.60.60.3	`= Original`	`Policy Targets`	Incoming DNS - ISP B

If you have a public IP address from each ISP for each publicly reachable server (in addition to the Security Gateway / Security Group), configure the applicable NAT rules:
1. Give each server a private IP address.
2. Use the public IP addresses in the Original Destination.
3. Use the private IP address in the Translated Destination.
4. Select Any as the Original Service.

Note - If you use Manual NAT, then automatic ARP does not work for the IP addresses behind NAT. You must configure the local.arp file as described in sk30197.

Install the Access Control Policy on this Security Gateway / Security Group object.