Checkpoint: Forcing Services over a specific ISP link with ISP Redundancy Load-Sharing

Caveats / Notes

  • You can force services over the 1st ISP link but not the 2nd. In the event of the 1st link going down, all services will be routed through the 2nd.
  • This will take effect on all firewalls running ISP Redundancy.
  • Other outgoing connections will be distributed evenly between the 2 links.

You will need to open the file  $FWDIR/lib/table.def and edit the no_misp_services_ports table on the SmartCenter server.

The table has the format <port,protocol> as in the following example:

no_misp_services_ports = { <500, 17>, <259,17>};

The above states that UDP port 500 (ISAKMP) and 259 (CheckPoint Client Auth) traffic is routed out via the 1st link

So if you would like to route web and ssh traffic over the 1st link as well, you would specify:

no_misp_services_ports = { <500, 17>, <259,17>, <80,6>, <22,6>};

Don’t forget to push the policy once the changes have been made

The links below are handy for reference:

http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers

http://en.wikipedia.org/wiki/Transmission_Control_Protocol

http://en.wikipedia.org/wiki/User_Datagram_Protocol

Checkpoint: Nokia Clish Command Reference

Some clish commands that are incredibly handy but not worth committing to memory as they’re only used every 4th blue moon .. Thanks secmanager.org.

—setting default gateway
set static-route default nexthop gateway address 192.168.29.2 priority 1 on

—adding static routes
set static-route 172.23.124.150/32 nexthop gateway address 192.168.29.50 on

—Add proxy arp
add arpproxy address 192.168.29.56 macaddress 0:a0:8e:7d:13:d0
add arpproxy address 192.168.29.57 macaddress 0:a0:8e:7d:13:d0

—Add an interface
set interface eth1 speed 100M duplex full active on
add interface eth1c0 address 192.168.29.54/24 enable

—VRRP

set vrrp accept-connections on
set vrrp coldstart-delay 60

set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth2c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 on
set vrrp interface eth1c0 monitored-circuit vrid 54 monitored-interface eth3c0 priority-delta 10
set vrrp interface eth1c0 monitored-circuit vrid 54 priority 100
set vrrp interface eth1c0 monitored-circuit vrid 54 hello-interval 1
set vrrp interface eth1c0 monitored-circuit vrid 54 vmac-mode default-vmac
set vrrp interface eth1c0 monitored-circuit vrid 54 backup-address 192.168.29.1 on

—Set ntp servers

add ntp server 10.1.1.2 version 3 prefer yes
add ntp server 10.1.1.1 version 3 prefer yes

—Setting Time zone

set date timezone-city “Greenwich (GMT)”

—Add hostname

set hostname testbox

—Add Host address assignments

add host name testbox ipv4 192.168.29.54

CheckPoint: ISP Redundancy Limitations

When using ISP redundancy with load-balancing, there are a number of limitations where routing comes in to play, I’ll try to bullet point a few rules:

* In general, traffic responses will be routed back through the pipe the requests went out on. (you can force it to do otherwise but then you are into asymmetrical routing and you will be lucky to get your responses.)

* Anything with a static NAT will be forced out through the 1st link

* You can force certain services to go through your first link but you cannot force anything to go through your 2nd link – see here for instructions.

* You cannot use hide NAT to force anything to go through one link or the other – Checkpoint per se does not support source-based routing (policy-based routing)

* You can in theory force one particular machine to route through the 1st link by statically NATing it to a free public address on your subnet but you will need to have 1 routable IP per machine for which this is to be done. You cannot  force any traffic / services through your 2nd link.

If you really need the flexibility to route your traffic based on services and/or source IPs then you can:
* install a router in fron of your firewall which does policy-based routing

* if you are running on linux or SecurePlatform then you can configure the iproute2 daemon (this will NOT be supported by Checkpoint)

* if you are running on Nokia IPSO boxes then Policy-based routing functionality is built in from IPSO 4.2 build 069 onwards.