Hi:
We have several customer that uses ISP Redundancy, most of them in Load
Sharing Mode
We have had several issues (that doesn't show every time) when using
static NAT for outgoing traffic and IPS Redundancy in Load Sharing mode.
For example, a host statically NATed with some ISP-A IP address but going
out thru IPS-B physical interface (of course no way to get a response on
this connections). Actually, this scenarios worked until R60, but from R61
to the last version I have tested, which is R75.20, it happens some time
and ebery time I have opened a service request, Check Point support keeps
telling that static NAT and IPS Redundancy in Load Sharing is not
supported :/ there are some workarounds like sk34209 that in most
escenarios solves this issue.
So, due to this issues I have been seen, and of course depending on the
size of the customer, budget, the numbers of IPS links (ISP Redundancy
only can manage 2) and some other stuff, we use 3 options:
1.- Check Point ISP Redundancy
2.- Linux built-in source routing features (ip route, routing
tables, routing rules and so on - ISP Redundancy must be disabled)
3.- 3rd party load balancer, such as Barracuda Link Balancer that
really works very well
At the end, If you are going to use ISP redundancy in simple scenarios,
when there is no static NATs for outgoing connections or when you want to
configure Primary/Backup mode, the feature works as expected.
When it comes to incoming traffic, this feature works very good, so if you
have things like two MX records or your web server can be reached using an
IP address of each ISP, ISP Redundancy in Load Sharing mode works very
well. Even you can configure the firewall so it can answer DNS request
based on the load of you ISP links, so if ISP-A has 80% usage, ISP-B has
30% and someone wants you send you and e-mail, firewall will give ISP-B IP
address MX record, of course you´ll have to have your authoritative DNS
for this feature to work.
I hope this info helps!
Happy ISP Redundancy configuration :)
Gus
_______________________________
Gustavo Ríos P.
Professional Services Coordinator
email: [email protected]
http://www.cybertech.com.ve
Telf.: +58 212 2661980/ 2503/ 9995, ext. 104
Cel: +58 4128014879
******************************************************
NOTA CONFIDENCIAL: La información contenida en este E-mail es confidencial
y sólo puede ser utilizada por la persona o la compañía a la cual está
dirigido y/o por el emisor. Si no es el receptor autorizado, cualquier
retención, difusión, distribución o copia de este mensaje es prohibida y
será sancionada por la ley. Si por error recibe este mensaje, favor
devolverlo y borrar el mensaje recibido inmediatamente.
CONFIDENTIAL NOTE: The information in this E-mail is intended to be
confidential and only for use of the individual or entity to whom it is
addressed and/or the issuer. If you are not the intended recipient, any
retention, dissemination, distribution or copying of this message is
strictly prohibited and sanctioned by law. If you receive this message by
error, please immediately send it back and delete the message received.
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[email protected]] On Behalf Of a bv
Sent: lunes, 16 de enero de 2012 03:09 a.m.
To: [email protected]
Subject: [FW-1] ISP Redundancy
Hi,
I would like to ask you about the ISP Redundancy. Do you use this
configuration feature generaly? Are you happy with it? Do you really get
benefits and more uptime on services? Are there any configuration
difficulties you get with it? Are there any problems you have with it?
Regards
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages, send an email to
[email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your subscription options,
email [email protected]
=================================================
Scanned by Check Point Total Security Gateway.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
