> We have Firewall Cluster running on SPLAT R65-HFA20, we need to migrate > slowly to a new Internet Service Provider. The ISP line will be installed > this week, new block of external IP address will be assigned. Old ISP > external IP address cannot be migrated to the new line.
this is a common scenaria ... > The requirement is that we keep both INTERNET lines and ISP(s) going until > we completely migrate to the new ISP. > > I looked into CHECKPOINT ISP redundancy configuration for R65 and it may > not solve our problem why not? what you should do is have active passive ISP setup. then first your old ISP is the primary one. then you can switch at any time to the second ISP as primary ISP. this is important for outbound traffic. > or from what I read seem to me to be a > nightmare...with Asymetrical routing on the FW cluster. no, you will never have asymmetric routing as this does not work. > Our main issue is this that some VPN(s) that have static known netwoks can > be easily migrate to the new line and new interface on the firewall > cluster with static routes... > but my confusion comes in on the dynamic IP address used by the SSL > clients and many many Checkpoint Edge boxes and other internet users. for VPNs to centrally managed checkpoints you should have a look at the VPN-link-selection feature. this is for selecting the best interface to terminate the VPN. so you can migrate your VPNs from the old to the new ISP. > Even if i start pointing them to the new ISP how can i force them back out > on the same ISP since our default route gateway will still be pointing to > OLD ISP until migration complete? this can be handeled by ISP redundancy. further more: inbound-connections to web-servers etc can be setup to be active on both ISPs. so you have 2 inbound NATs: one to the old isp and one to the new isp. this works really fine. so you can setup that with * ISP-redundancy * VPN link selection (together with static routes maybe) * manual inbound static NATs br reinhard Scanned by Check Point Total Security Gateway. Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
