How to Configure ISP Redundancy

29 September 2015

How To Configure ISP Redundancy

2015 Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses.

Important Information Latest Software

We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks.

Latest Documentation

The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?ID=12314

To learn more, visit the Check Point Support Center http://supportcenter.checkpoint.com.

Revision History

Date Description

29 September 2015 Clarification on Additional VPN Considerations (on page 14)

14 August 2014 To see some related documents you must log in to the User Center ("Related Documents and Assumed Knowledge" on page 5)

The location of the ISP Redundancy configuration page in SmartDashboard depends on the release ("Initial Configuration" on page 6)

22 April 2012 First release of this document

Feedback

Check Point is engaged in a continuous effort to improve its documentation.

Please help us by sending your comments (mailto:[email protected]?subject=Feedback on How To Configure ISP Redundancy ).

Contents Important Information ................................................................................................... 3 How To Configure ISP Redundancy ............................................................................... 5 Objective ........................................................................................................................ 5

Supported Versions ................................................................................................... 5 Supported Operating Systems .................................................................................. 5 Supported Appliances ............................................................................................... 5

Before You Start ............................................................................................................ 5 Related Documents and Assumed Knowledge .......................................................... 5 Impact on Environment and Warnings ...................................................................... 6

Configuring ISP Redundancy ......................................................................................... 6 Initial Configuration .................................................................................................. 6 Adding ISP Links ..................................................................................................... 10 Configuring DNS Proxy ........................................................................................... 10 Tracking .................................................................................................................. 11 VPN ......................................................................................................................... 12 Registering the Domain and Obtaining IP Addresses .............................................. 12 Allowing Incoming and Outgoing Connections ........................................................ 13 Alternative Deployment Options ............................................................................. 14 ISP Redundancy Script ............................................................................................ 14 Additional VPN Considerations ............................................................................... 14

Completing the Procedure .......................................................................................... 15 Verifying the Procedure .............................................................................................. 15

Traffic Behavior ....................................................................................................... 15 Index............................................................................................................................ 17


How To Configure ISP Redundancy | 5


Objective This document describes how to configure ISP redundancy.

Supported Versions All versions NGX and above

Supported Operating Systems IPS redundancy is supported on these platforms:

Red Hat Linux 7.2 or higher

IPSO 3.8.2 or higher

SecurePlatform

Note - Consult the release notes of your installed version(s) for the latest Linux and SecurePlatform support information before you configure ISP redundancy.

Supported Appliances All current:

IP Series (formerly Nokia)

UTM-1

Power-1 appliances.

Before You Start

Related Documents and Assumed Knowledge Note - To see advanced access documents, you must have a valid Support contract and sign in to the User Center (https://usercenter.checkpoint.com/usercenter/index.jsp). General access documents are public.

sk23630 http://supportcontent.checkpoint.com/solutions?id=sk23630 (Advanced access) Advanced configuration options for ISP redundancy

sk32225 http://supportcontent.checkpoint.com/solutions?id=sk32225 (General access) Configuring ISP Redundancy so that certain traffic uses specific ISP

Configuring ISP Redundancy


sk31530 http://supportcontent.checkpoint.com/solutions?id=sk31530 (General access) ISP Redundancy Link Interface cannot be created

sk40958 http://supportcontent.checkpoint.com/solutions?id=sk40958 (Advanced access) How do I verify the status of redundant ISP links from the firewall console?

sk25152 http://supportcontent.checkpoint.com/solutions?id=sk25152 (Advanced access) Outgoing Static NAT with ISP redundancy failing

A general knowledge of Gateway and Security Management Server management, including creating and modifying gateway objects, updating interface topology, and static and hide NAT configuration.

A working knowledge of DNS is also recommended.

Impact on Environment and Warnings None specifically, but care should be taken when one ISP link offers significantly higher

bandwidth than the other. If this is the case, the $FWDIR/bin/cpisp_update script should be modified to prevent the low bandwidth ISP from being overwhelmed by normal traffic levels.

Configuring ISP Redundancy ISP redundancy ensures reliable Internet connectivity for a single or clustered Check Point Security Gateway. It enables connection through redundant ISP connections.

Before you begin to setup up ISP redundancy, configure the cluster object (or gateway object if in a single gateway environment) with two external links defined, one for each of the ISPs. This is the simplest deployment option. Other options are discussed later.

Initial Configuration 1. In SmartDashboard, navigate to Check Point Security Gateway/Cluster Object > Other > ISP

Redundancy. In older releases of SmartDashboard, navigate to Check Point Security Gateway/Cluster Object > Topology > ISP Redundancy,

2. Select Support ISP Redundancy.



3. Select the Redundancy mode, which controls the behavior of outgoing connections. There are two options available:



Primary/Backup: New connections use the primary link as its ISP. In the event of primary link failure, connections switch to the backup link, and any new connections use the backup link as well. Upon recovery of the primary link, any new outgoing connections begin to use it again while the existing connections on the backup link continue to use it until completion.



Load Sharing: New outgoing connections are distributed randomly between the ISP links and remain with the assigned link until completion. Should one of the links fail, all new connections are assigned to the link that remains.

Incoming connections also benefit from the Load Sharing method. In the case of returned packets for a connection initiated outbound, the traffic uses the same ISP link that is used to initiate the connection. Connections that are initiated inbound can use either link to access resources. The Check Point Security Gateway can answer DNS requests for internal servers with addresses from both ISPs due to order alternation.



Adding ISP Links 1. Once the mode is selected, add the ISP links. In the ISP Links section, click Add, and in the

window that pops up, enter the name for the link of your choice, such as ISP1 or the name of the ISP for that link. From the Interface push down menu, select the external interface associated with the ISP. The next hop IP address would be the gateway for the selected ISP. If the interface is a point to point interface leave this field blank.

2. Under Advanced Configuration you can define hosts used to perform status checks for the ISP

link. ICMP echo requests are sent to the selected hosts. Failure to respond results in link down status for the ISP. If no hosts are selected in the advanced configuration, ICMP echo requests are sent to the next hop IP address to confirm link status by default.

Configuring DNS Proxy If there are internal servers which accept inbound traffic, then DNS proxy needs to be enabled and configured.

In Primary/Backup mode the gateway responds to DNS queries with the active IP.

In Load Sharing mode the gateway will respond with both IPs if both links are active and with the active link IP if one ISP link is down.



Click Configure and then Add or Edit to add or update DNS proxy settings. The fields are described below:

Host Name is the host name of the application server, for example: www.example.com ISP-1 and ISP-2 are the IP addresses of the application server for the corresponding ISPs.

DNS TTL is the expected time it takes the Security Gateway to reply. DNS TTL is important to prevent Internet servers to store out of date DNS information. The DNS TTL field specifies how long the information in the DNS reply may be cached.

For external access to internal resources to work, each externally accessible server requires a routable IP assigned for each ISP. Static NAT entries must be configured to translate the routable IP to the real IP of the server.

Tracking In the Tracking section, you can select how IPS redundancy link failures and recoveries are reported. The default is a popup alert for failures and a log entry when the link recovers.



VPN The selection of Apply settings to VPN traffic carries over the configuration on this page to the VPN > Link Selection page. The ISP redundancy settings override any existing VPN link selection setting when this option is enabled.

Registering the Domain and Obtaining IP Addresses The gateway, or a DNS server behind it, must respond to DNS queries and resolve IP addresses that belong to publicly accessible servers on the DMZ or internal network. A dedicated DNS server is not required because the gateway can be configured to intercept the DNS queries.

To Register the Domain and Obtain IP Addresses:

1. Obtain one routable IP address from each ISP for the DNS server or the gateway that intercepts DNS queries. If routable IP addresses are not available, make the DNS server accessible from the Internet with Manual NAT.

2. Register your domain with both ISPs.



3. Inform both ISPs of the two addresses of the DNS server that respond to DNS queries for the domain.

4. To allow incoming connections, obtain one routable IP address from each ISP for each application server that is accessed from the Internet.

Allowing Incoming and Outgoing Connections 1. Define automatic Hide NAT on network objects that initiate the outgoing connections:

a) Edit the internal_net object.

b) In the General tab of the Network Properties window, select Add Automatic Address Translation Rules.

c) Select the Hide Translation Method and then the Hide behind Gateway option.

2. To allow incoming connections through both ISP links to the application servers and the DNS server, define manual Static NAT rules.

If you have only one routable IP address from each ISP and those addresses belong to the Security Gateway, you can allow specific services for specific servers. In the example below, incoming HTTP connections from both ISPs reach the web server and DNS traffic from both ISPs reach the DNS server.

Manual Static Rules for a Web Server and a DNS Server: Original Translated Comment Source Destination Service Source Destination Serv. Any 192.168.1.2http=10.0.0.2 (Static)=Incoming Web ISP A Any 172.16.2.2http=10.0.0.2 (Static)=Incoming Web ISP B



Any 192.168.1.2domain_udp=10.0.0.3 (Static)=Incoming DNS ISP A Any 172.16.2.2domain_udp=10.0.0.3 (Static)=Incoming DNS ISP B

If you have a routable address from each ISP for each publicly reachable server (in addition to the addresses that belong to the Security Gateway), you can allow any service to reach the application servers if you give each server a non-routable address. In the NAT rulebase, perform:

Use the routable addresses in the Original Destination. Use the non-routable address in the Translated Destination. Select Any as the Original Service.

Note - If when you use Manual NAT, automatic arp does not work for the NATed addresses, use local.arp on Linux and SecurePlatform. On IPSO set up Proxy ARP.

Alternative Deployment Options The simplest and most common ISP redundancy deployment is with two external interfaces

defined, one for each ISP. If only one external interface is available, different subnets can be configured for each ISP. With this deployment, both ISPs are connected to the same interface but with different next hops, usually through a switch.

If there is one main ISP and a dialup connection for the backup, connect one external interface to each ISP. Use the Primary/Backup method to specify that the dialup connection should only be used if the primary link is down.

In clustered environments, each gateway in the cluster requires a corresponding external link for each ISP. Follow the cluster configuration guidelines and ensure the physical external interfaces belong to the same subnet as the cluster IP.

ISP Redundancy Script The ISP redundancy script located at $FWDIR/bin/cpisp_update is run whenever a

gateway starts, or an ISP link state changes. The primary purpose of the script is to change the default route for the gateway according to which ISP links are currently available.

The script can also be used to define advanced options, such as to change link status of a backup dialup connection when the primary link becomes active again, or SAM rules to block non-essential traffic when the primary link is down. Before you modify the script file, make a backup. Run Cpstop before you modify and cpstart after you save changes.

Additional VPN Considerations The script cpisp_update must be present In a Primary/Backup configuration, the interface connected to the primary ISP must be defined

as the Primary IP.

When ISP redundancy is configured, the default setting in the Link Selection page uses ongoing probing. However, link selection only probes the ISPs configured under ISP

Completing the Procedure


redundancy. This feature enables connection failover of the VPN tunnel if connectivity to one of the gateway interfaces fails.

Refer to the Link Selection chapter of the VPN Administration Guide for more information.

The ability of a third party VPN to recognize ISP link failures depends on its configuration. Problems can arise when the third party is unable to recognize traffic from the secondary link as traffic that originates from the Check Point gateway, or cannot detect link failure and continues to send encrypted traffic to the failed link.

Completing the Procedure Save and install the policy to complete the procedure.

Verifying the Procedure IPS redundancy link status can be manually changed with the fw isp_link command on the gateway or management server:

fw isp_link

target is the target gateway and it is required when run from the management server only. link-name is the ISP link name as defined on the ISP Redundancy page of the gateway properties.

The command is useful to perform a test, or to disable an ISP link when you know it is not available but is still reported as active to the gateway. You can also test it if you pull the interface for the of ISPs links.

Traffic Behavior Outbound traffic, such as HTTP traffic, gives the appearance of a seamless transition for clients behind the gateway when the active link fails. With authenticated traffic, such as a VPN connection or FTP transfer, a client behind the gateway suffers a disruption when the active link fails. When the transition to the other link occurs, it changes the IP address that is used to access the remote resources. This, in turn, requires the user to authenticate again from the new IP address.

Index A

Adding ISP Links 10 Additional VPN Considerations 14 Allowing Incoming and Outgoing Connections

13 Alternative Deployment Options 14

B

Before You Start 5

C

Completing the Procedure 15 Configuring DNS Proxy 10 Configuring ISP Redundancy 6

H

How To Configure ISP Redundancy 5

I

Impact on Environment and Warnings 6 Important Information 3 Initial Configuration 6 ISP Redundancy Script 14

O

Objective 5

R

Registering the Domain and Obtaining IP Addresses 12

Related Documents and Assumed Knowledge 5

S

Supported Appliances 5 Supported Operating Systems 5 Supported Versions 5

T

Tracking 11 Traffic Behavior 15

V

Verifying the Procedure 15 VPN 12

How To Configure ISP RedundancyImportant InformationHow To Configure ISP RedundancyObjectiveSupported VersionsSupported Operating SystemsSupported Appliances

Before You StartRelated Documents and Assumed KnowledgeImpact on Environment and Warnings

Configuring ISP RedundancyInitial ConfigurationAdding ISP LinksConfiguring DNS ProxyTrackingVPNRegistering the Domain and Obtaining IP AddressesAllowing Incoming and Outgoing ConnectionsAlternative Deployment OptionsISP Redundancy ScriptAdditional VPN Considerations

Completing the ProcedureVerifying the ProcedureTraffic Behavior

Index