Configuring ISP Link Redundancy

Page 1 of 3

Configuring ISP Link Redundancy

In This Section Introduction to ISP Link Redundancy Configuration Registering the Domain and Obtaining IP Addresses DNS Server Configuration for Incoming Connections Dialup Link Setup for Incoming Connections SmartDashboard Configuration Configuring Default Route for ISP Redundancy Gateway

Introduction to ISP Link Redundancy Configuration

The following ISP Redundancy configuration allows outgoing connections from behind the Security Gateway to the Internet and incoming connections from the Internet to the networks behind the Security Gateway.

Note - For advanced configuration options, see SecureKnowledge solution sk23630 at http://supportcontent.checkpoint.com/solutions?id=sk23630 (your username and password are required). Note - In the following configuration examples, the subnets 192.168.1.0/24 and 172.16.2.0/24 represent public routable addresses.

Registering the Domain and Obtaining IP Addresses

The Security Gateway, or a DNS server behind it, must respond to DNS queries and resolve IP addresses that belong to publicly accessible servers in the DMZ (or another internal network). It is not necessary to have an actual DNS server because the Security Gateway can be configured to intercept the DNS queries. To register the domain and obtain IP addresses: 1. 2. 3. 4. Obtain one routable IP address from each ISP for the DNS server or for the Security Gateway that intercepts DNS queries. If routable IP addresses are not available, make the DNS server accessible from the Internet using manual NAT (step 2). Register your domain (for example, example.com) with both ISPs. Inform both ISPs of the two addresses of the DNS server that respond to DNS queries for the example.com domain. To allow incoming connections, obtain one routable IP address from each ISP for each application server that is accessed from the Internet. For example, obtain two IP addresses for the Web server in DMZ-net. To avoid using routable IP addresses for the publicly available servers, see step 2.

DNS Server Configuration for Incoming Connections

The following section describes a DNS server configuration for incoming connections where the firewall is configured to intercept DNS queries to a Web server (for example, www.example.com in Figure 1-37) that arrive at the Security Gateway external interfaces and to respond to them with ISP addresses 192.168.1.2 and 172.16.2.2. To configure the DNS server for incoming connections: 1. 2. In the DNS Proxy tab of the ISP Redundancy window, select Enable DNS proxy. The Security Gateway responds to DNS queries with either one or two IP addresses, depending on the status of the ISP link and the redundancy mode. To configure this behavior, map each server name to an IP address pair by clicking Add... in the DNS Proxy tab. Type a Host name (for example, www.example.com). Add an IP address for ISP-1 (for example, 192.168.1.2 in Figure 1-37) and an IP address for ISP-2 (for example, 172.16.2.2).

3. 4.

mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010

Configuring ISP Link Redundancy

Page 2 of 3

It is important to ensure that DNS servers in the Internet do not store out-of-date address information. Each DNS reply has a Time To Live (TTL) field which indicates to the recipients of the reply how long the information in the reply may be cached. By default, the Security Gateway replies with a TTL of 15 seconds. This can be changed in the DNS TTL field.

Dialup Link Setup for Incoming Connections

To configure a dialup link for incoming connections: 1. 2. 3. If one of the ISP links is a dialup network, edit the ISP Redundancy Script located in $FWDIR/bin/cpisp_update. In the script, use the Linux or SecurePlatform operating system command to bring up or to take down the dialup interface. You can connect SecurePlatform to ISPs that provide xDSL services using PPPoE or PPTP xDSL modems. If using one of these connections, in the PPPoE or PPTP configuration of SecurePlatform, clear the Use Peer Gateway option.

SmartDashboard Configuration
To configure SmartDashboard: 1. 2. 3. 4. Define a Security Rule Base rule that accepts DNS traffic through the Security Gateway using the domain_udp service. In the Check Point Gateway window > Topology page, define the Security Gateway interfaces leading to the ISPs. Select Topology > ISP Redundancy and then the Support ISP Redundancy option. Perform either Automatic ISP Link Configuration (follow step 1 to step 4) or Manual ISP Link Configuration (follow step 1 to step 5). Automatic configuration only works if there are exactly two external interfaces defined in the Topology page (it does not work for gateway cluster objects).

Automatic ISP Link Configuration 1. 2. Click Automatic ISP Links configuration to configure the ISP links based on information taken from the routing table of the gateway and the Topology page of the gateway object. To work in Primary/Backup mode, do the following: a. b. c. 3. 4. In the Redundancy Mode section, select Primary/Backup. Select the link and then Edit to define the link you want to be primary. In the General tab of the ISP Link Properties window, select Primary ISP.

Examine the automatically configured ISP Links configuration for correctness. Continue to step 1.

Manual ISP Link Configuration 1. 2. 3. In the Redundancy Mode section, select Load Sharing or Primary/Backup. Click Add to define each of the ISP links. In the General tab of the ISP Link Properties window, configure the following: a. b. Name the ISP link and select the Interface leading to the ISP. Specify the Next Hop IP Address by clicking Get from routing table. If the ISP link is a dialup connection, leave the Next Hop IP Address field blank. In Figure 1-38, the next hop router on the way to ISP A has the IP address 192.168.1.1 and the next hop router on the way to ISP B has the IP address 172.16.2.1. c. 4. 5. In Primary/Backup mode, define whether the ISP link is Primary.

Define a list of hosts to be monitored to verify that the link is operational. To specify the hosts, select the Advanced tab of the ISP Link Properties window and then Add to add the hosts to the list of Selected hosts. Define Tracking by selecting an option for both ISP failure and ISP recovery.

Allowing Incoming and Outgoing Connections

1. To allow outgoing connections through both ISP links, define automatic Hide NAT on network objects that initiate the outgoing connections. Using the example shown in Figure 1-37, configure the following: a. b. Edit the internal_net object. In the General tab of the Network Properties window, select Add Automatic Address Translation Rules.

mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010

Configuring ISP Link Redundancy

Page 3 of 3

c. 2.

Select the Hide Translation Method and then the Hide behind Gateway option.

To allow incoming connections through both ISP links to the application servers and the DNS server, define manual Static NAT rules. If you have only one routable IP address from each ISP and those addresses belong to the Security Gateway, you can allow specific services for specific servers. Using the example shown in Figure 1-37, define the NAT rules listed in Table 1-15. In this example, incoming HTTP connections from both ISPs reach the Web server, www.example.com and DNS traffic from both ISPs reach the DNS server. Table 1-15 Manual Static Rules for a Web Server and a DNS Server Original Source Destination Any Any Any Any Service Source = = Translated Destination Serv. Incoming Web ISP A Incoming Web ISP B Incoming DNS ISP A Incoming DNS ISP B Comment

192.168.1.2 http 172.16.2.2 http

10.0.0.2 (Static) = 10.0.0.2 (Static) = 10.0.0.3 (Static) = 10.0.0.3 (Static) =

192.168.1.2 domain_udp = 172.16.2.2 domain_udp =

If you have a routable address from each ISP for each publicly reachable server (in addition to the addresses that belong to the Security Gateway), you can allow any service to reach the application servers by giving each server a nonroutable address. In the NAT Rule Base in Table 1-15, do the following: a. b. c. Use the routable addresses in the Original Destination. Use the nonroutable address in the Translated Destination. Select Any as the Original Service.

Note - If using Manual NAT, automatic arp does not work for the NATed addresses. On Linux and SecurePlatform use local.arp. On IPSO set up Proxy ARP.
3. Save and install the security policy.

Configuring Default Route for ISP Redundancy Gateway

Configure the ISP Redundancy gateway machine with only a single default route and do not give it a metric. When working in a Primary/Backup mode, set the IP address of the router leading to the primary ISP as the default route. When working in Load Sharing mode, use the router of the first ISP link in the ISP Redundancy window as the default route. When an ISP link fails, the default route of the gateway is automatically changed by means of the ISP Redundancy script. When the link is up again, the original default route is reinstated.

Check Point Software Technologies Ltd

Copyright 2003-2009 Check Point Software LTD. All rights reserved. For additional technical information about Check Point products, consult Check Point's Support Center. How to share feedback.

mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010