Check Point gateways support ISP Redundancy feature, there are two options for the traffic distribution: Load Sharing and High Availability.
With High Availability (Primary/Backup) the next hop IP address is monitored by pings (ICMP echo requests) that check whether the route is alive, a ping is sent every 5 seconds. When a failure of the next hop is detected the default gateway will be dynamically changed to the Backup ISP next hop. Existing connections do not survive failover, the old connections will be unable to receive or send data until a new connection is established.
Load Sharing also monitors the next hop IP address by ping requests to determine whether the route is alive. All connections are distributed through two default gateways, each host has a different route, and the redundancy will be load sharing the hosts sum of connections. When a failed route comes back online, only new connections will use it, old connections will continue to use the other route. Existing connections do not survive failover, the old connections will be unable to receive or send data until a new connection is established.
High Availability Configuration
This post covers the configuration and testing of Primary/Backup High Availability and assumes a basic configuration is configured on the Check Point gateway.
Interfaces
Configure the gateway with an interface connected to the second ISP with an IP address.
- Login to the Gaia Portal and navigate to Network Management > Network Interfaces
The figure below represents the initial configuration with an internal interface (eth0) and a single external interface (eth1).
- Select a spare interface (in this instance eth2) and define an IPv4 Address (22.22.22.4) from the ISP2 network.
Below is the Gaia CLISH command configuration to configure the interface.
set interface eth2 comments "ISP2" set interface eth2 link-speed 1000M/full set interface eth2 state on set interface eth2 auto-negotiation on set interface eth2 mtu 1500 set interface eth2 ipv4-address 22.22.22.4 mask-length 24
Routing
You do not need to explictly configure another static route via ISP2 interface, you only need a default route via the primary ISP, in this instance 11.11.11.1. The backup default route via ISP2 will be dynamically applied once the ISP Redundancy feature is configured and the primary ISP fails.
Below is the Gaia CLISH command configuration to configure the default route.
set static-route default nexthop gateway address 11.11.11.1 on
Network Objects/NAT
Hide NAT is configured on the network object that represents the internal network(s), it is important to Hide behind the gateway to ensure traffic is translated behind which ever ISP interface is in active at that time.
Topology
After the new interface has been configured, the topology must be updated.
- From the SmartConsole, navigate to Gateways & Servers
- Edit the gateway
- Navigate to Network Management
- Select Get Interfaces Without Topology
- When prompted select Accept
- Edit the new interface (in this instance eth2)
- Click Modify
- Select Override, then Internet External
- Click Ok
- Click Ok
ISP Redundancy
ISP Redundancy is configured from the SmartConsole under the gateway object.
- From the SmartConsole, navigate to Gateways & Servers
- Edit the gateway object
- Navigate to Other > ISP Redundancy
- Select Support ISP Redundancy
There are two options, Load Sharing and Primary/Backup, in this scenario we will select Primary/Backup.
- Click Add
- Define an appropriate name for the Primary ISP, i.e., ISP1
- From the drop-down list, select the interface connected to the Primary ISP
- Define the Next Hop IP Address of the Primary ISP
- Click Ok
- Click Add to add the Backup ISP
- Click Ok
- Click Install, to Publish and Install the policy.
Testing/Verification
From the Clish of the gateway, run the command cpstat fw. The output below confirms the policy is installed and when ISP Redundancy is configured and also displays the ISP link table. From the output below we can confirm both the Primary and Backup links are Ok.
CP12> cpstat fw Policy name: Standard Install time: Thu Jun 15 16:51:30 2023 Interface table ------------------------------------------------ |Name|Dir|Total |Accept|Deny|Log| ------------------------------------------------ |eth0|in |445764|445657| 107|690| |eth0|out|455171|455158| 13| 41| |eth1|in | 9222| 222|9000| 33| |eth1|out| 235| 235| 0| 19| |eth2|in | 8935| 8935| 0| 6| |eth2|out| 207| 207| 0| 29| ------------------------------------------------ | | |919534|910414|9120|818| ------------------------------------------------ Interface table (64-bit) ------------------------------------------------ Name|Dir|Total |Accept|Deny|Log| ------------------------------------------------ |eth0|in |445764|445657| 107|690| |eth0|out|455171|455158| 13| 41| |eth1|in | 9222| 222|9000| 33| |eth1|out| 235| 235| 0| 19| |eth2|in | 8935| 8935| 0| 6| |eth2|out| 207| 207| 0| 29| ------------------------------------------------ | | |919534|910414|9120|818| ------------------------------------------------ ISP link table ----------------------------- |Name|Status|Role | ----------------------------- |ISP1|OK |Primary| |ISP2|OK |Backup | -----------------------------
From a device in the internal network ping a device external to the network, under normal circumstances this will route via ISP1 (in this instance 11.11.11.4)
CORE#ping 1.1.1.1 source loopback 0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds: Packet sent with a source address of 172.21.8.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/15/19 ms
For testing purposes debug ip icmp was enabled on a WAN router, we can see the incoming ping from the IP address (11.11.11.4) is the gateway’s Primary (ISP1) interface.
WAN-RTR# *Jun 15 16:17:06.461: ICMP: echo reply sent, src 1.1.1.1, dst 11.11.11.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:17:06.478: ICMP: echo reply sent, src 1.1.1.1, dst 11.11.11.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:17:06.494: ICMP: echo reply sent, src 1.1.1.1, dst 11.11.11.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:17:06.512: ICMP: echo reply sent, src 1.1.1.1, dst 11.11.11.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:17:06.529: ICMP: echo reply sent, src 1.1.1.1, dst 11.11.11.4, topology BASE, dscp 0 topoid 0
From the Clish of the gateway run the command fw isp_link ISP1 down. This will failover traffic to the Backup link
GW1> fw isp_link ISP1 down OK.
Run the command cpstat fw, from the output below we can confirm the Primary (ISP1) link was manually disabled and ISP2 is Ok.
ISP link table ---------------------------------------------------------------------- |Name|Status |Role | ---------------------------------------------------------------------- |ISP1|The ISP link was manually disabled|Primary| |ISP2|OK |Backup | ----------------------------------------------------------------------
From the Clish of the gateway run show route this confirms the default route is via the backup (ISP2) next hop. The ISP redundancy feature has dynamically changed the default route.
GW1> show route Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default), O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA), A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed, NP - NAT Pool, U - Unreachable, i - Inactive S 0.0.0.0/0 via 22.22.22.2, eth2, cost 0, age 366
Run the ping test again from an internal network device. From the WAN router we can determine that the source of ping is now the IP address (22.22.22.4) of the gateway’s Backup (ISP2) interface.
WAN-RTR# *Jun 15 16:22:02.913: ICMP: echo reply sent, src 1.1.1.1, dst 22.22.22.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:22:02.933: ICMP: echo reply sent, src 1.1.1.1, dst 22.22.22.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:22:02.953: ICMP: echo reply sent, src 1.1.1.1, dst 22.22.22.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:22:02.969: ICMP: echo reply sent, src 1.1.1.1, dst 22.22.22.4, topology BASE, dscp 0 topoid 0 *Jun 15 16:22:02.983: ICMP: echo reply sent, src 1.1.1.1, dst 22.22.22.4, topology BASE, dscp 0 topoid 0
Run the command fw isp_link ISP1 up to bring the Primary connection back online.
References
https://support.checkpoint.com/results/sk/sk40958
https://support.checkpoint.com/results/sk/sk34812
https://support.checkpoint.com/results/sk/sk61692