controlling connections configured with isp redundancy in load sharing mode
Post on 13-Jan-2016
15 Views
Preview:
DESCRIPTION
TRANSCRIPT
Print Email
Controlling connections configured with ISP Redundancy in Load Sharing mode
Solution ID: sk42636Product: Security Gateway, ClusterXLVersion: AllPlatform / Model: AllDate Created: 24-Aug-2009Last Modified: 19-Mar-2014
Rate this document
[1=Worst,5=Best]
SYMPTOMS
Connections from the same source pass only through one of the ISP channels and not through both ISP channels perRound-Robin mechanism when Security gateway is configured with ISP Redundancy in Load Sharing mode.
CAUSE
This behavior is the default design of ISP Redundancy in Load Sharing mode.
SOLUTION
Background:
By default, in ISP Redundancy in Load Sharing mode, connections from the same "Client" located behind theGateway/Cluster are sent out the Gateway/Cluster every time over the same ISP channel.
This is a sort of "Client Stickiness" mode. This mode was chosen to be the default, because it is the best way to distributeconnections between two ISP channels without losing communications that use dynamic ports or port redirection (e.g.,FTP, VoIP, etc).
These are the relevant attributes of the Gateway / Cluster object in the database, which can be changed via GuiDbEditTool:
misp_cache_use_cln - when enabled, controls "Client" stickiness (default value: "true")misp_cache_use_srv - when enabled, controls "Server" stickiness (default value: "false")
Procedure:
Close all SmartConsole windows (SmartDashboard, SmartView Tracker, etc).
Connect to Security Management Server with GuiDbEdit Tool.
In the upper left pane, go to 'Table' - 'Network Objects' - 'network_objects'.
In the upper right pane, select the relevant Gateway object (in Class Name column appears as 'gateway_ckp') /select the relevant Cluster (in Class Name column appears as 'gateway_cluster').
In the lower pane, in Field Name column - find firewall_settings - scroll down to misp_cache_use_cln andmisp_cache_use_srv parameters.
Right-click on the parameter - choose 'Edit...'.
Change the Value of the parameter - click 'OK':
Since there are 2 parameters and each parameter has 2 possible values, there are 4 possible configurations:
(misp_cache_use_cln = true) and (misp_cache_use_srv = false) - all connections from the same"Client" will be sent out over the same ISP channel (each Source IP address is cached independently fromother Source IP addresses).
1.
(misp_cache_use_cln = false) and (misp_cache_use_srv = true) - all connections to the same"Server" will be sent out over the same ISP channel - not recommended (each Destination IP address iscached independently from other Destination IP addresses).
2.
Welcome Gagan Sugandh | Logout
Favorite
Support Center > Search Results > SecureKnowledge Details
Expert Access
Live ChatStart Chat Now
Service RequestsCreate Service Request
My Service Requests
Contact Us
STAY UP TODATE
Get weekly email notifications onsupport related updates.
SUGGESTEDSOLUTIONS
People that viewed this solutionalso viewed:1. SSL Network Extender - JavaAvailability
2. Error: UUID is not allowedthrough the Rule Base for RPCtraffic.
3. Reports generated by EventiaReporter show rule UUID instead ofrule number
Search
Controlling connections configured with ISP Redundancy in Load Shari... https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...
1 of 2 12/9/2014 9:27 PM
(misp_cache_use_cln = true) and (misp_cache_use_srv = true) - all connections from the same"Client" to the same "Server" will be sent out over the same ISP channel (each Source and Destination IPaddresses are cached independently from other Source and Destination IP addresses).
3.
(misp_cache_use_cln = false) and (misp_cache_use_srv = false) - all connections will be sent outrandomly over both ISP channels - not recommended.
4.
Go to 'File' menu - click on 'Save All'.
Close GuiDbEdit Tool.
Connect to Security Management Server with SmartDashboard.
Install the policy onto Gateway / Cluster object.
Related Solutions:
sk23630 (Advanced configuration options for ISP redundancy)sk25152 (Static (Hide) NAT fails for outgoing connections through gateway with ISP Redundancy in Load Sharingmode)
Give us FeedbackRate this document
[1=Worst,5=Best]
Characters left: 2000
©2014 Check Point Software Technologies Ltd. All rights reserved.
Check Point Software Technologies, Inc. is a wholly ownedsubsidiary of Check Point Software Technologies Ltd.
Additional comments...(Max 2000 characters allowed)
Controlling connections configured with ISP Redundancy in Load Shari... https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit...
2 of 2 12/9/2014 9:27 PM
top related