ccolonbackslash

Just another WordPress.com site

ISP Redundancy on Checkpoint R75.45 Gaia – does not work

I installed R75.45 Gaia on a UTM-1 270 appliance recently, installation from USB went fine and performance was adequate with a low load, VPN, default IPS and a short QOS rule set.

In order to support a degree of resilience we’re using ISP Redundancy at all sites with multiple internet connections, despite configuring this site identically I was not able to get the failover to work. Usually, the script cp_isp_update runs and updates the gateways default route to match that of the secondary ISP, however when i tested this on R75.45 the route was not updated when primary was disconnected.

I contacted Checkpoint support and was informed that ISP Redundancy does not work in either version of Gaia, R75.45 or R75.40 – however there is a patch available for R75.40 if you contact them and reference this sk. I applied this patch on 75.40 but still didn’t see the solution work as expected so instead deployed R75.30 as I have at other ISP redundant sites.

I should also mention that my in no way scientific, cursory observations indicated that load on the CPU was much lower (15-20pc lower) on SPLAT (with 75.30) than on either version of GAIA. Something to bear in mind for older appliances like the UTM-1 270.

Advertisements

7 responses to “ISP Redundancy on Checkpoint R75.45 Gaia – does not work

  1. kips January 10, 2013 at 3:25 pm

    Hi ccolonbackslash, did you succeed in the solution? I also have a solution to deploy which involved deploying ISP redundancy but do not have the information on the configurations required. I am still new on Checkpoint.

    Thanks.

  2. dodoman January 10, 2013 at 4:32 pm

    Hi ccolonbackslash, Kindly point me to the KB. also if you have any documentation on how you did with the R75_30, kindly share with me.

    Thanks.

    • ccolonbackslash January 11, 2013 at 12:17 pm

      Hi There – the SK articles you should find useful are as follows:

      sk25129 – Supported platforms
      sk34812 – ISP Redundancy Configuration
      sk23630 – Advanced configuration of ISP Redundancy

      You will need current checkpoint support to get to these however (www.checkpoint.com)

      My configuration documentation is from the perspective of our configuration, not as a step by step.

      Don’t be tempted to try and add weighted routes to different ISP’s, just set your primary and let checkpoint handle the rest.

      Works well for us – be aware you’ll need to reset any link selection for VPN configuration you have at present as ISP redundancy will override that when first configured, they do coexist happily afterwards though.

      Cheers,

  3. Jason February 14, 2013 at 4:22 am

    “however when i tested this on R75.45 the route was not updated when primary was disconnected.”

    I applied the R75.40 hotfix to both Management and the target firewall and it fixed the problem perfectly for me.

  4. ccolonbackslash January 28, 2014 at 11:47 pm

    R75.46 and 47 do not exhibit this issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: