Checkpoint: Forcing Services over a specific ISP link with ISP Redundancy Load-Sharing

Caveats / Notes

  • You can force services over the 1st ISP link but not the 2nd. In the event of the 1st link going down, all services will be routed through the 2nd.
  • This will take effect on all firewalls running ISP Redundancy.
  • Other outgoing connections will be distributed evenly between the 2 links.

You will need to open the file  $FWDIR/lib/table.def and edit the no_misp_services_ports table on the SmartCenter server.

The table has the format <port,protocol> as in the following example:

no_misp_services_ports = { <500, 17>, <259,17>};

The above states that UDP port 500 (ISAKMP) and 259 (CheckPoint Client Auth) traffic is routed out via the 1st link

So if you would like to route web and ssh traffic over the 1st link as well, you would specify:

no_misp_services_ports = { <500, 17>, <259,17>, <80,6>, <22,6>};

Don’t forget to push the policy once the changes have been made

The links below are handy for reference:

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://en.wikipedia.org/wiki/User_Datagram_Protocol

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.