Recent Comments
 | Jim Homer on VMWare vCenter Converter… |
| NeWay Technologies… on Install Windows 8 Enterprise o… | |
 | Zipo™ on VMWare vCenter Converter… |
 | Pedda on ‘Windows setup could not… |
 | pepere on ‘Windows setup could not… |
ccolonbackslash
Just another WordPress.com site
ISP Redundancy on Checkpoint R75.45 Gaia – does not work
Posted by on November 21, 2012
I installed R75.45 Gaia on a UTM-1 270 appliance recently, installation from USB went fine and performance was adequate with a low load, VPN, default IPS and a short QOS rule set.
In order to support a degree of resilience we’re using ISP Redundancy at all sites with multiple internet connections, despite configuring this site identically I was not able to get the failover to work. Usually, the script cp_isp_update runs and updates the gateways default route to match that of the secondary ISP, however when i tested this on R75.45 the route was not updated when primary was disconnected.
I contacted Checkpoint support and was informed that ISP Redundancy does not work in either version of Gaia, R75.45 or R75.40 – however there is a patch available for R75.40 if you contact them and reference this sk. I applied this patch on 75.40 but still didn’t see the solution work as expected so instead deployed R75.30 as I have at other ISP redundant sites.
I should also mention that my in no way scientific, cursory observations indicated that load on the CPU was much lower (15-20pc lower) on SPLAT (with 75.30) than on either version of GAIA. Something to bear in mind for older appliances like the UTM-1 270.
Hi ccolonbackslash, did you succeed in the solution? I also have a solution to deploy which involved deploying ISP redundancy but do not have the information on the configurations required. I am still new on Checkpoint.
Thanks.
Hi there – yes i did, but i used R75_30 following getting nowhere on a fix for R75_45.
if you need any info let me know and i can point you at the KB’s.
Hi ccolonbackslash, Kindly point me to the KB. also if you have any documentation on how you did with the R75_30, kindly share with me.
Thanks.
Hi There – the SK articles you should find useful are as follows:
sk25129 – Supported platforms
sk34812 – ISP Redundancy Configuration
sk23630 – Advanced configuration of ISP Redundancy
You will need current checkpoint support to get to these however (www.checkpoint.com)
My configuration documentation is from the perspective of our configuration, not as a step by step.
Don’t be tempted to try and add weighted routes to different ISP’s, just set your primary and let checkpoint handle the rest.
Works well for us – be aware you’ll need to reset any link selection for VPN configuration you have at present as ISP redundancy will override that when first configured, they do coexist happily afterwards though.
Cheers,
“however when i tested this on R75.45 the route was not updated when primary was disconnected.”
I applied the R75.40 hotfix to both Management and the target firewall and it fixed the problem perfectly for me.