Is it possible to add a second internet connection to a CheckPoint Splat firewall?
We have a CheckPoint firewall NGX R62 on SPlat platform with 6 ethernet ports. Currently one port is connected to a T1 with AT&T. Would like to know if we can connect another port to the internet with a cable modem from another service provider and if so how to configure it.
ASKER
Thanks for the quick reply. I will take a look at the link you posted. One of the web developers in house is working on a new website and was concerned about bandwidth in our current configuration and we suggested they get their own firewall and internet connection. They did one of the two and got the cable internet line installed but want us to connect it to our CheckPoint firewall. They were assuming that we could isolate the connection to their specific application and possible let us use some of the bandwidth for some of our other services.
ASKER
Grimkin,
I read through your points in the other posting and if I am understanding correctly Checkpoint allows for dual ISP connections with their redundancy feature but control of services is limited. Can you outline for me the steps involved in activating the ISP redundancy feature on the Checkpoint?
And if our cable connection includes an additional IP address I can set up a rule with appropriate NAT to at least insure that incoming connections to the webserver go over the cable ISP?
Thanks
I read through your points in the other posting and if I am understanding correctly Checkpoint allows for dual ISP connections with their redundancy feature but control of services is limited. Can you outline for me the steps involved in activating the ISP redundancy feature on the Checkpoint?
And if our cable connection includes an additional IP address I can set up a rule with appropriate NAT to at least insure that incoming connections to the webserver go over the cable ISP?
Thanks
Seems to me ISP redundancy was designed rather for fail-over scenario than for load balancing one. I personally don't see either of them as production-level features.
In the case you are talking about I think Policy Based Routing or Source Routing (different
words to define the same function) would work better. It is a feature of Linux OS ,so inherent
to Spalt as well. WHat it does is depending on source IP routes traffic to the defined interface.
So based on src IP [of the server] in the LAN you could route it through cable connection only. Combined with static NAT rule you can then make incoming traffic to come through the same line.
See more info here:
http://lartc.org/howto/lartc.rpdb.html
In the case you are talking about I think Policy Based Routing or Source Routing (different
words to define the same function) would work better. It is a feature of Linux OS ,so inherent
to Spalt as well. WHat it does is depending on source IP routes traffic to the defined interface.
So based on src IP [of the server] in the LAN you could route it through cable connection only. Combined with static NAT rule you can then make incoming traffic to come through the same line.
See more info here:
http://lartc.org/howto/lartc.rpdb.html
While you can do Policy-based routing as a feature of linux be aware that if you implement this then Checkpoint will not support your machine.
If you need to do policy based routing then you should look at changing your platform to Nokia running IPSO 4.2 build 69 or later or use a router in front of your firewall to do the PBR for you.
If you need to do policy based routing then you should look at changing your platform to Nokia running IPSO 4.2 build 69 or later or use a router in front of your firewall to do the PBR for you.
Hi,
Firstly, what platform(s) is your enforcement on? Are you using a cluster and if so what technology are you using for it? (clusterXL, nokia ip clustering etc) We need to make sure the ISPR is supported on your current hardware.
This is paramount before going near the below steps:
1. You need to make sure your external links are properly defined in your topology.
2. Go to the ISP redundancy tab, select the tick box and press the "set initial configuration" button - this should automatically define the links as per topology and routing table. It will alert you if any info is missing
3. The first link in the list will be your primary link so ideally use your biggest / most stable pipe for this.
4. Push the policy
How many VPNs have you got coming off this box? Are they Checkpoint boxes? Externall managed?
Firstly, what platform(s) is your enforcement on? Are you using a cluster and if so what technology are you using for it? (clusterXL, nokia ip clustering etc) We need to make sure the ISPR is supported on your current hardware.
This is paramount before going near the below steps:
1. You need to make sure your external links are properly defined in your topology.
2. Go to the ISP redundancy tab, select the tick box and press the "set initial configuration" button - this should automatically define the links as per topology and routing table. It will alert you if any info is missing
3. The first link in the list will be your primary link so ideally use your biggest / most stable pipe for this.
4. Push the policy
How many VPNs have you got coming off this box? Are they Checkpoint boxes? Externall managed?
ASKER
Our current configuration enforcement platforms:
CheckPoint Firewall NGX 62 on Splat (HP Server) Main Corporate Firewall
CheckPoint VPN-1 UTM Edge (Used only for a Public Internet Hotspot on site)
No Clustering.
Non point to point VPN's only incoming secureclient VPN connections.
Current connection is to AT&T T1 line connected to Cisco router then to Firewall.
The new ISP is through a local cable company and only provides one IP address associated with the MAC address of the adapter in the firewall.
Any considerations needed with the above configuration?
CheckPoint Firewall NGX 62 on Splat (HP Server) Main Corporate Firewall
CheckPoint VPN-1 UTM Edge (Used only for a Public Internet Hotspot on site)
No Clustering.
Non point to point VPN's only incoming secureclient VPN connections.
Current connection is to AT&T T1 line connected to Cisco router then to Firewall.
The new ISP is through a local cable company and only provides one IP address associated with the MAC address of the adapter in the firewall.
Any considerations needed with the above configuration?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again for all the help with Dual ISP setup.
This is an old post. However, for the sake of users viewing this, Microsoft TMG 2010 supports this functionality.
Here's how I implemented it:
http://robsilver.org/isatmg/isp-redundancy-made-easy/
Hope this helps,
Here's how I implemented it:
http://robsilver.org/isatmg/isp-redundancy-made-easy/
Hope this helps,
You can indeed add another connection and use this with Checkpoint's ISP Redundancy feature; however this may not be quite what you are envisaging as although it does work in a "load-sharing" mode, you do not have very much control over what goes in and out of which pipes.
Please take a look at this question: https://www.experts-exchange.com/questions/23757943/Hide-NAT-for-multiple-Internet-Pipes-for-inbound-SMTP.html where I have detailed a few points on limitations of ISP Redundancy.
If you could give us an idea of what you are hoping to achieve with another connection then we can make some more specific advice / suggestions,
HTH