I'm all a bit confused here. You're talking about doing BGP with the Internet for your network(s) or in BGP-speak, your prefix(es). Now why does anything at all change on the firewall cluster?
The magic of BGP is that your network address on the firewall gets routed to you via either ISP. You don't need to touch anything behind the routers. What am I missing? On 6/12/2009 at 1:11 PM, Ogos Sixtynine <[email protected]> wrote: > Thanks to everyone who replied, > and David reply your seem to answer a portion of my question. > > Assuming that I move the current outside address OFF > of the cluster to the BGP router that faces that ISP, that will kill all the > VPNs. > > Now VPNs are terminating to the fw cluster, after the change will be > terminating to BGP router. > Another assumption, in this scenario, is that I may have to do NAT at the > BGP router the External IP address to the new IP address of the firewall > cluster. > > Is that a correct assumption? > > Would VPNs will actually works with a Checkpoint Firewall Cluster interface > that is being translated and not be the a REAL IP address? > > We are trying to find a solution that minimize any kind of downtime while we > enable the 2nd Internet connection, > without have to reconfigures all our VPNs and FW cluster at same time...but > over an extended period of time. > Additinally the first ISP will be terminated....at a later date due to some > decision outside my responsabilities. > > > > --- On Fri, 6/12/09, David Gillett <[email protected]> wrote: > > From: David Gillett <[email protected]> > Subject: Re: [FW-1] Internet redundancy using BGP routers in front of > CHeckpointCluster....NGXR65 > To: [email protected] > Date: Friday, June 12, 2009, 9:19 AM > > Your first step will be to move the current outside address OFF > of the cluster to the BGP router that faces that ISP. The outside > address for the other ISP will go on the other BGP router. The > outside interface for the cluster will have a new address on a small > segment that connects it to the inside interfaces of both routers. > Your firewall policies shouldn't know or care which ISP delivered > a given packet to you -- all the cluster cares about is that it arrived > from the Internet. > > David Gillett > > >> -----Original Message----- >> From: Ogos Sixtynine [mailto:[email protected]] >> Sent: Friday, June 12, 2009 6:37 AM >> To: [email protected] >> Subject: [FW-1] Internet redundancy using BGP routers in >> front of CHeckpointCluster....NGXR65 >> >> Hello Everyone, >> >> Finally, we are in the process of implementing Internet >> redundancy using BGP routers in front of our current >> Checkpoint Cluster SPLAT NGXR65, the BGP routers >> configuration will be done by an external company using CISCO >> routers. We already have the AS numbers and the second >> Internet connection but "I am having difficulty >> conceptualizing" how the Checkpoint Cluster will be handling >> the new set of IP address belonging to the 2nd Internet connection. >> >> Currently, there is only 1 (one) external interface defined >> on the cluster that handle the traffic to the first internet >> connection also using this Interface as default gateway to >> the external world or Internet. >> >> Here is the part I am confused about Checkpoint.... >> >> In order to start migrating VPN connections to 2nd Internet >> connection, dont I need to define a second external Interface >> on the cluster? >> >> If not, then how can I assign multiple IP address scheme on >> differenet subnets to the same interface? >> >> Maybe I am missing something really simple but i cant get >> over this mental block. >> Thanks all for the replies... >> >> >> >> >> >> >> >> >> >> >> ================================================= >> To set vacation, Out-Of-Office, or away messages, send an >> email to [email protected] >> in the BODY of the email add: >> set fw-1-mailinglist nomail >> ================================================= >> To unsubscribe from this mailing list, >> please see the instructions at >> http://www.checkpoint.com/services/mailing.html >> ================================================= >> If you have any questions on how to change your subscription >> options, email [email protected] >> ================================================= >> > > Scanned by Check Point Total Security Gateway. > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > > > > > > Scanned by Check Point Total Security Gateway. > > > ================================================= > To set vacation, Out-Of-Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= Scanned by Check Point Total Security Gateway. ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
