Professional Documents
Culture Documents
Redundancy in
SecurePlatform
4 January 2012
© 2012 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.
Important Information
Latest Documentation
The latest version of this document is at:
http://supportcontent.checkpoint.com/documentation_download?ID=12511
For additional technical information, visit the Check Point Support Center
(http://supportcenter.checkpoint.com).
Revision History
Date Description
Feedback
Check Point is engaged in a continuous effort to improve its documentation.
Please help us by sending your comments
(mailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on How to Configure ISP Redundancy
in SecurePlatform ).
Contents
Supported Versions
NGX R65
R70
R71
R75
Supported OS
SecurePlatform 2.4
SecurePlatform 2.6
Supported Appliances
UTM-1
Power-1
If the gateway has multiple external interfaces, there might be a routing problem for packets sent to a
client in Office Mode, because the destination IP address is replaced when the packet is encapsulated.
Select Support connectivity enhancement for gateways with multiple external interfaces in the
gateway. Do not select this option if your gateway has only one external interface. This operation affects
the performance.
2. Open Topology > ISP redundancy and select Support ISP Redundancy.
2. Enter the host names and IP addresses for both ISP links.
4. Under Tracking, select the desired tracking method for ISP Link failure and for ISP Link recovery.
2. In the ISP Link window, in the Advanced tab, select the relevant host objects to monitor and click Add.
Note - Make sure not to use the same hosts for both ISP links. This would cause
both links to fail when the ICMP to a duplicated host fails.
3. Click OK.
4. Install the policy.
Troubleshooting
Confirm and install
Click OK to confirm the changes and install the policy on the relevant gateway object(s).
Debug ISP Redundancy
ISP redundancy is a part of the gateway configuration. To debug it and provide Check Point Technical
Support with the relevant data for a traffic issue:
1. Disable SecureXL: fwaccel off
2. Run this Kernel Debug:
Note - This debug causes additional high load on the system CPU.
Depending on the current CPU load and traffic, consider scheduling a
Maintenance window.
fw ctl debug 0
fw ctl debug -buf 32000
fw ctl debug -m fw + drop conn ld misp
fw ctl kdebug -T -f > kdb.txt
3. Open another command shell and run the FW Monitor command (do not filter): fw monitor –e
"accept;" –o fwmon.cap
4. Do not run the debugs for too long (more than 1-2 minutes), because the file size grows rapidly.
5. After capturing data of the problem, stop the debug, press Ctrl+C and run: fw ctl debug 0
6. Stop FW Monitor, press Ctrl+C.
7. Enable SecureXL: fwaccel on
8. Review the output of kernel debug using an advanced text editor and FW Monitor with
Wireshark/Ethereal sniffer.
In complex cases, assuming you hold a valid Check Point support contract, open a service request and
provide these materials to Check Point Technical Support.