Professional Documents
Culture Documents
Page 1 of 3
In This Section Introduction to ISP Link Redundancy Configuration Registering the Domain and Obtaining IP Addresses DNS Server Configuration for Incoming Connections Dialup Link Setup for Incoming Connections SmartDashboard Configuration Configuring Default Route for ISP Redundancy Gateway
Note - For advanced configuration options, see SecureKnowledge solution sk23630 at http://supportcontent.checkpoint.com/solutions?id=sk23630 (your username and password are required). Note - In the following configuration examples, the subnets 192.168.1.0/24 and 172.16.2.0/24 represent public routable addresses.
3. 4.
mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010
Page 2 of 3
It is important to ensure that DNS servers in the Internet do not store out-of-date address information. Each DNS reply has a Time To Live (TTL) field which indicates to the recipients of the reply how long the information in the reply may be cached. By default, the Security Gateway replies with a TTL of 15 seconds. This can be changed in the DNS TTL field.
SmartDashboard Configuration
To configure SmartDashboard: 1. 2. 3. 4. Define a Security Rule Base rule that accepts DNS traffic through the Security Gateway using the domain_udp service. In the Check Point Gateway window > Topology page, define the Security Gateway interfaces leading to the ISPs. Select Topology > ISP Redundancy and then the Support ISP Redundancy option. Perform either Automatic ISP Link Configuration (follow step 1 to step 4) or Manual ISP Link Configuration (follow step 1 to step 5). Automatic configuration only works if there are exactly two external interfaces defined in the Topology page (it does not work for gateway cluster objects).
Automatic ISP Link Configuration 1. 2. Click Automatic ISP Links configuration to configure the ISP links based on information taken from the routing table of the gateway and the Topology page of the gateway object. To work in Primary/Backup mode, do the following: a. b. c. 3. 4. In the Redundancy Mode section, select Primary/Backup. Select the link and then Edit to define the link you want to be primary. In the General tab of the ISP Link Properties window, select Primary ISP.
Examine the automatically configured ISP Links configuration for correctness. Continue to step 1.
Manual ISP Link Configuration 1. 2. 3. In the Redundancy Mode section, select Load Sharing or Primary/Backup. Click Add to define each of the ISP links. In the General tab of the ISP Link Properties window, configure the following: a. b. Name the ISP link and select the Interface leading to the ISP. Specify the Next Hop IP Address by clicking Get from routing table. If the ISP link is a dialup connection, leave the Next Hop IP Address field blank. In Figure 1-38, the next hop router on the way to ISP A has the IP address 192.168.1.1 and the next hop router on the way to ISP B has the IP address 172.16.2.1. c. 4. 5. In Primary/Backup mode, define whether the ISP link is Primary.
Define a list of hosts to be monitored to verify that the link is operational. To specify the hosts, select the Advanced tab of the ISP Link Properties window and then Add to add the hosts to the list of Selected hosts. Define Tracking by selecting an option for both ISP failure and ISP recovery.
mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010
Page 3 of 3
c. 2.
Select the Hide Translation Method and then the Hide behind Gateway option.
To allow incoming connections through both ISP links to the application servers and the DNS server, define manual Static NAT rules. If you have only one routable IP address from each ISP and those addresses belong to the Security Gateway, you can allow specific services for specific servers. Using the example shown in Figure 1-37, define the NAT rules listed in Table 1-15. In this example, incoming HTTP connections from both ISPs reach the Web server, www.example.com and DNS traffic from both ISPs reach the DNS server. Table 1-15 Manual Static Rules for a Web Server and a DNS Server Original Source Destination Any Any Any Any Service Source = = Translated Destination Serv. Incoming Web ISP A Incoming Web ISP B Incoming DNS ISP A Incoming DNS ISP B Comment
If you have a routable address from each ISP for each publicly reachable server (in addition to the addresses that belong to the Security Gateway), you can allow any service to reach the application servers by giving each server a nonroutable address. In the NAT Rule Base in Table 1-15, do the following: a. b. c. Use the routable addresses in the Original Destination. Use the nonroutable address in the Translated Destination. Select Any as the Original Service.
Note - If using Manual NAT, automatic arp does not work for the NATed addresses. On Linux and SecurePlatform use local.arp. On IPSO set up Proxy ARP.
3. Save and install the security policy.
mk:@MSITStore:F:\Program%20Files\CheckPoint\SmartConsole\R70\PROGRAM\FwP... 08/11/2010