How to Configure ISP

Redundancy in
SecurePlatform

4 January 2012
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12511
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).

Revision History
Date Description

04 January 2012 First release of this document

Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How to Configure ISP Redundancy
in SecurePlatform ).
 Contents

Important Information .............................................................................................3

How to Configure ISP Redundancy in SecurePlatform ........................................5
Objective .................................................................................................................5
Supported Versions ............................................................................................. 5
Supported OS...................................................................................................... 5
Supported Appliances ......................................................................................... 5
Before You Start .....................................................................................................5
Related Documentation and Assumed Knowledge .............................................. 5
Known Issues and Solutions................................................................................ 5
Impact on the Environment and Warnings ........................................................... 6
Configuring ISP Redundancy in SecurePlatform .................................................7
Troubleshooting ...................................................................................................12
Index ......................................................................................................................13
 How to Configure ISP Redundancy in SecurePlatform

How to Configure ISP Redundancy in

SecurePlatform
Objective
This guide explains how to set up Internet Service Provider (ISP) Redundancy.

Supported Versions
 NGX R65
 R70
 R71
 R75

Supported OS
 SecurePlatform 2.4
 SecurePlatform 2.6

Supported Appliances
 UTM-1
 Power-1

Before You Start

Related Documentation and Assumed Knowledge
R65, R70, R71, and R75 Firewall Admin Guides contain information about the topology options, VPN and
NAT considerations, link types, and fine tuning modifications available for ISP Redundancy:
 R65 Firewall Admin Guide (http://downloads.checkpoint.com/dc/download.htm?ID=7247)
 R70 Firewall Admin Guide (http://downloads.checkpoint.com/dc/download.htm?ID=8738)
 R71 Firewall Admin Guide (http://downloads.checkpoint.com/dc/download.htm?ID=8738)
 R75 Firewall Admin Guide (http://supportcontent.checkpoint.com/documentation_download?ID=11660)

Known Issues and Solutions

 Outgoing Static NAT with ISP Redundancy failing: sk25152
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk25152&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security)

How to Configure ISP Redundancy in SecurePlatform | 5

 Before You Start

 Correcting an ISP Redundancy Hide NAT configuration error: sk31547

(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk31547&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security)
 Hide NAT does not work in ISP Redundancy Load Sharing: sk34209
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk34209&js_peid=P-114a7bc3b09-10006&partition=General&product=Security)
 Advanced configuration options for ISP redundancy: sk23630
(http://supportcontent.checkpoint.com/solutions?id=sk23630)
 Configuring ISP Redundancy so that certain traffic uses specific ISP: sk32225
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk32225&js_peid=P-114a7bc3b09-10006&partition=General&product=Cluster)
 ISP Redundancy link interface cannot be created: sk31530
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk31530&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=Security)
 DNS Proxy configuration does not change when ISP order is changed in NGX R65: sk40501
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk40501&js_peid=P-114a7bc3b09-10006&partition=General&product=Security)
 ISP Redundancy is missing from the gateway or cluster object: sk60590
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&sol
utionid=sk60590&js_peid=P-114a7bc3b09-10006&partition=Advanced&product=SmartDashboard")

Impact on the Environment and Warnings

 ISP Redundancy cancels VPN Link Selection.

How to Configure ISP Redundancy in SecurePlatform | 6

 Configuring ISP Redundancy in SecurePlatform

 If the gateway has multiple external interfaces, there might be a routing problem for packets sent to a
client in Office Mode, because the destination IP address is replaced when the packet is encapsulated.
Select Support connectivity enhancement for gateways with multiple external interfaces in the
gateway. Do not select this option if your gateway has only one external interface. This operation affects
the performance.

Configuring ISP Redundancy in

SecurePlatform
Enable ISP Redundancy
1. Open the Gateway/Cluster object.

How to Configure ISP Redundancy in SecurePlatform | 7

 Configuring ISP Redundancy in SecurePlatform

2. Open Topology > ISP redundancy and select Support ISP Redundancy.

3. Under Redundancy mode, select Load Sharing or Primary/Backup.

4. Click Add under the ISP Links table.
5. Name the link by its physical interface on the cluster member (see Edit Topology).

6. Select the primary interface leading to the ISP router/Next Hop.

How to Configure ISP Redundancy in SecurePlatform | 8

 Configuring ISP Redundancy in SecurePlatform

7. Enter the ISP router/Next Hop IP address.

8. Repeat for the second ISP link.

9. If Primary/Backup is selected, under ISP Links in order of priority, select which link is the Primary
(top) and which is the Backup (bottom).

How to Configure ISP Redundancy in SecurePlatform | 9

 Configuring ISP Redundancy in SecurePlatform

Configure DNS Proxy

The Security Gateway, or a DNS server behind it, must respond to DNS queries and resolve IP addresses
that belong to publicly accessible servers in the DMZ (or another internal network). It is not necessary to
have an actual DNS server because the Security Gateway can be configured to intercept the DNS queries.
Enable DNS Proxy
1. Under DNS Proxy, select Enable DNS proxy and click Configure.

2. Enter the host names and IP addresses for both ISP links.

How to Configure ISP Redundancy in SecurePlatform | 10

 Configuring ISP Redundancy in SecurePlatform

3. The host appears in the Host's Addresses window. Click OK.

4. Under Tracking, select the desired tracking method for ISP Link failure and for ISP Link recovery.

Configure ISP Monitoring Hosts

1. In the ISP links table, double-click a link.

How to Configure ISP Redundancy in SecurePlatform | 11

 Troubleshooting

2. In the ISP Link window, in the Advanced tab, select the relevant host objects to monitor and click Add.

Note - Make sure not to use the same hosts for both ISP links. This would cause
both links to fail when the ICMP to a duplicated host fails.
3. Click OK.
4. Install the policy.

Troubleshooting
Confirm and install
Click OK to confirm the changes and install the policy on the relevant gateway object(s).
Debug ISP Redundancy
ISP redundancy is a part of the gateway configuration. To debug it and provide Check Point Technical
Support with the relevant data for a traffic issue:
1. Disable SecureXL: fwaccel off
2. Run this Kernel Debug:
Note - This debug causes additional high load on the system CPU.
Depending on the current CPU load and traffic, consider scheduling a
Maintenance window.
fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + drop conn ld misp
fw ctl kdebug -T -f > kdb.txt
3. Open another command shell and run the FW Monitor command (do not filter): fw monitor –e
"accept;" –o fwmon.cap
4. Do not run the debugs for too long (more than 1-2 minutes), because the file size grows rapidly.
5. After capturing data of the problem, stop the debug, press Ctrl+C and run: fw ctl debug 0
6. Stop FW Monitor, press Ctrl+C.
7. Enable SecureXL: fwaccel on
8. Review the output of kernel debug using an advanced text editor and FW Monitor with
Wireshark/Ethereal sniffer.
In complex cases, assuming you hold a valid Check Point support contract, open a service request and
provide these materials to Check Point Technical Support.

How to Configure ISP Redundancy in SecurePlatform | 12

Index
B
Before You Start • 5
C
Configuring ISP Redundancy in SecurePlatform
•7
H
How to Configure ISP Redundancy in
SecurePlatform • 5
I
Impact on the Environment and Warnings • 6
Important Information • 3
K
Known Issues and Solutions • 5
O
Objective • 5
R
Related Documentation and Assumed
Knowledge • 5
S
Supported Appliances • 5
Supported OS • 5
Supported Versions • 5
T
Troubleshooting • 12