• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4612
  • Last Modified:

Is it possible to add a second internet connection to a CheckPoint Splat firewall?

We have a CheckPoint firewall NGX R62 on SPlat platform with 6 ethernet ports.  Currently one port is connected to a T1 with AT&T.  Would like to know if we can connect another port to the internet with a cable modem from another service provider and if so how to configure it.
0
cinamitton
Asked:
cinamitton
1 Solution
 
grimkinCommented:
Hi there,

You can indeed add another connection and use this with Checkpoint's ISP Redundancy feature; however this may not be quite what you are envisaging as although it does work in a "load-sharing" mode, you do not have very much control over what goes in and out of which pipes.

Please take a look at this question: http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Checkpoint_Firewall/Q_23757943.html where I have detailed a few points on limitations of ISP Redundancy.

If you could give us an idea of what you are hoping to achieve with another connection then we can make some more specific advice / suggestions,

HTH
0
 
cinamittonAuthor Commented:
Thanks for the quick reply.  I will take a look at the link you posted.  One of the web developers in house is working on a new website and was concerned about bandwidth in our current configuration and we suggested they get their own firewall and internet connection.  They did one of the two and got the cable internet line installed but want us to connect it to our CheckPoint firewall.  They were assuming that we could isolate the connection to their specific application and possible let us use some of the bandwidth for some of our other services.
0
 
cinamittonAuthor Commented:
Grimkin,

I read through your points in the other posting and if I am understanding correctly Checkpoint allows for dual ISP connections with their redundancy feature but control of services is limited.  Can you outline for me the steps involved in activating the ISP redundancy feature on the Checkpoint?  

And if our cable connection includes an additional IP address I can set up a rule with appropriate NAT to at least insure that incoming connections to the webserver go over the cable ISP?

Thanks
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
yuriskCommented:
Seems to me ISP redundancy was designed rather for fail-over scenario than  for load balancing one. I personally don't see either of them as production-level features.
In the case you are talking about I think Policy Based Routing or Source Routing (different
words to define the same function) would work better. It is a feature of Linux OS ,so inherent
to Spalt as well. WHat it does is depending on source IP routes traffic to the defined interface.
So based on src IP [of the server] in the LAN you could route it through cable connection only. Combined with static NAT rule you can then make incoming traffic to come through the same line.
See more info here:
http://lartc.org/howto/lartc.rpdb.html
0
 
grimkinCommented:
While you can do Policy-based routing as a feature of linux be aware that if you implement this then Checkpoint will not support your machine.

If you need to do policy based routing then you should look at changing your platform to Nokia running IPSO 4.2 build 69 or later or use a router in front of your firewall to do the PBR for you.
0
 
grimkinCommented:
Hi,

Firstly, what platform(s) is your enforcement on? Are you using a cluster and if so what technology are you using for it? (clusterXL, nokia ip clustering etc) We need to make sure the ISPR is supported on your current hardware.

This is paramount  before going near the below steps:

1. You need to make sure your external links are properly defined in your topology.
2. Go to the ISP redundancy tab, select the tick box and press the "set initial configuration" button - this should automatically define the links as per topology and routing table. It will alert you if any info is missing
3. The first link in the list will be your primary link so ideally use your biggest / most stable pipe for this.
4. Push the policy

How many VPNs have you got coming off this box? Are they Checkpoint boxes? Externall managed?
0
 
cinamittonAuthor Commented:
Our current configuration enforcement platforms:
       CheckPoint Firewall NGX 62 on Splat (HP Server)  Main Corporate Firewall
       CheckPoint VPN-1 UTM Edge  (Used only for a Public Internet Hotspot on site)

No Clustering.
Non point to point VPN's only incoming secureclient VPN connections.

Current connection is to AT&T T1 line connected to Cisco router then to Firewall.

The new ISP is through a local cable company and only provides one IP address associated with the MAC address of the adapter in the firewall.

Any considerations needed with the above configuration?

0
 
grimkinCommented:
Hi,

No, there should be no issues with the above configuration;

Regarding wanting your incoming web connections to always go through your cable isp, you would need to make sure the cable ISP is your first link in the table and statically NAT your webserver to a free public IP on that external subnet.

As long as both links are up and working this will suffice. In order to satisfy failover in case of cable ISP link failure however, you would need to have an free IP on both external subnets and configure as per Secure Knowledge article sk25152 which reads as follows:

Outgoing Static NAT with ISP redundancy

Cause
By default, statically translated hosts, in an ISP redundancy configuration, are not allowed for open outgoing connections.
Solution
To allow statically translated hosts in an ISP redundancy configuration for open outgoing connections, use the following procedure.

Notes:

    * Assume that an internal host has an internal IP address, as well as one valid IP address from the address space of each Internet Service Provider (ISP).

    * Use the following notation:

      HOST_INTERNAL = internal IP address of the host
      HOST_VALID_A = valid address of the host from ISP_A (the first ISP)
      HOST_VALID_B = valid address of the host from ISP_B (the second ISP)


On the SmartCenter server:

   1. Define two dynamic objects: "DYN_ISP_A" and "DYN_ISP_B"

   2. Define an object with the IP address of HOST_INTERNAL.

   3. Define an object with the IP address of HOST_VALID_A.

   4. Define an object with the IP address of HOST_VALID_B.

   5. Define two Manual NAT rules, as follows:

      Rule 1

      Source = HOST_INTERNAL
      Destination = DYN_ISP_A
      XlateSRC = HOST_VALID_A
      XlateDST = Orig

      Rule 2

      Source = HOST_INTERNAL
      Destination = DYN_ISP_B
      XlateSRC = HOST_VALID_B
      XlateDST = Orig


      Notes:
          * You still need an inbound static NAT for incoming connections.

          * Do not use the DYN_ISP_objects, created for outbound connections, on the incoming NAT rule. Using them causes the Security Gateways to stop passing all traffic, and you will then need to run fw unloadlocal, and push policy again. Use the HOST_VALID_ objects for incoming connections. For example:

            Rule 1

            Source = Any
            Destination = HOST_VALID_A
            XlateSRC = Orig
            XlateDST = HOST_INTERNAL

            Rule 2

            Source = Any
            Destination = HOST_VALID_B
            XlateSRC = Orig
            XlateDST = HOST_INTERNAL


   6. Run cpstop on the Security Gateway or cluster (on each cluster member).

   7. Run the following commands on the Security Gateway or cluster (on each cluster member):

      dynamic_objects -n DYN_ISP_A
      dynamic_objects -n DYN_ISP_B
      dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a
      dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a


   8. On the Security Gateway or cluster (on each cluster member), edit $FWDIR/bin/cpisp_update, and add the following lines before the "exit" line:

      if ($USE_LINK1 == "1") then

        dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -a

        dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -d

        dynamic_objects -o DYN_ISP_B -r 0.0.0.0 0.0.0.0 -a  

      else

        dynamic_objects -o DYN_ISP_B -r 0.0.0.0 255.255.255.255 -a

        dynamic_objects -o DYN_ISP_A -r 0.0.0.0 255.255.255.255 -d

        dynamic_objects -o DYN_ISP_A -r 0.0.0.0 0.0.0.0 -a

      endif



   9. Run cpstart on the Security Gateway or cluster (on each cluster member).

  10. Install the Security Policy on the Security Gateway/cluster.


Limitation:

In an ISP redundancy Load Sharing configuration, connections originating from HOST_INTERNAL will not be load shared. Instead, they will be routed through the first ISP link, as long as it is active. If the first link fails, outgoing connections from HOST_INTERNAL will be routed through the second ISP link.

Important: You must also configure the Operating System to answer ARP requests for the manual NAT IPs created above.

    * For a single Security Gateway, you can configure permanent ARP entries directly in the OS, or on the upstream router, or by using Check Point's $FWDIR/conf/local.arp file.

    * For clustered Security Gateways, you will need to use the $FWDIR/conf/local.arp file, for the NATs to persist after a failover.
0
 
cinamittonAuthor Commented:
Thanks again for all the help with Dual ISP setup.
0
 
RobSilverCommented:
This is an old post.  However, for the sake of users viewing this, Microsoft TMG 2010 supports this functionality.

Here's how I implemented it:

http://robsilver.org/isatmg/isp-redundancy-made-easy/

Hope this helps,
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now