Issue with routing based on ABR/PBR

mohammed1987 — Tue, 14 Apr 2026 21:24:14 GMT

let have a brief of what is installed on the customer side : this is a swap porject from sophos to checkpoint, and each time i plan a migration, it is gone unsuccessful et we roll back.

- Smart1 base 700S

- 2 quantum 9100 in clusterXL HA configuration Mode : LAN port 172.16.4.0/22 and the Main IP address 172.16.7.254. DMZ 10.100.0.254/24 web services, 7 WANs interfaces 10.10.x.254/24 x from 11 to 17, each WAN is behind broadband isp router with static IP public let say 1.1.x.254,

the customer has SDWAN routing on sophos but he only use it to match group with source IP addresses to loadbalancing its traffics to its 7 WANs.

this source IP addresses groups have this logic :
- Group manager IP addresses take WAN1 to Internet and WAN2 as backup
- Group IT Stuff IP addresses take WAN7 to Internet and WAN1 as backup
and so on.

unfortunately there is no sdwan features acquired but we have implement a solution based on PBR/ABR sk167135 so we route traffic based on PBR that match fw rules.

the issue that we are facing instability behavior, sometimes its works and sometime no!!!

[Expert@GAMemberGw1:0]# dbget -arv fwrules
fwrules:instance
fwrules:instance:default
fwrules:instance:default:rulenum
fwrules:instance:default:rulenum:39 t
fwrules:instance:default:rulenum:39:name PBR_Directeurs
fwrules:instance:default:rulenum:39:uuid 8467ccd2-9607-4789-8376-ddfa4e7f61e8
fwrules:instance:default:rulenum:40 t
fwrules:instance:default:rulenum:40:name PBR_DSI
fwrules:instance:default:rulenum:40:uuid 47bf3233-21b5-48cc-910c-8cc886ff7023

-------------------------

Expert@GAMemberGw1:0]# ps aux | grep rtgpbrd
admin 1927 0.0 0.0 9148 1104 pts/1 S+ 18:34 0:00 grep --color=auto rtgpbrd
admin 23132 0.0 0.0 8392 4048 ? Ss 18:12 0:00 /bin/rtgpbrd
[Expert@GAMemberGw1:0]# cat /tmp/fwpbr*
cat: /tmp/fwpbr*: No such file or directory
[Expert@GAMemberGw1:0]#
Expert@GAMemberGw1:0]# ip rule
0: from all lookup local
101: from all fwmark 0x27000000/0xff000000 iif Mgmt lookup 1
102: from all fwmark 0x28000000/0xff000000 iif Mgmt lookup 2
103: from all fwmark 0x29000000/0xff000000 iif Mgmt lookup 3
104: from all fwmark 0x2a000000/0xff000000 iif Mgmt lookup 4
105: from all fwmark 0x2b000000/0xff000000 iif Mgmt lookup 5

Expert@GAMemberGw1:0]# ip route
1.1.1.1 proto 7
nexthop via 10.10.1.1 dev ethx1 weight 1
nexthop via 10.10.2.1 dev ethx2 weight 1
nexthop via 10.10.3.1 dev ethx3 weight 1

8.8.8.8 proto 7
nexthop via 10.10.1.1 dev ethx1 weight 1
nexthop via 10.10.2.1 dev ethx2 weight 1
nexthop via 10.10.3.1 dev ethx3 weight 1

------

--------

C:\Users\meden>tracert www.iam.ma

Détermination de l’itinéraire vers www.iam.ma.cdn.cloudflare.net [104.18.3.230]
avec un maximum de 30 sauts :

1 GAMemberGw1 [172.20.3.251] rapports : Impossible de joindre le réseau de destination.

Itinéraire déterminé.

C:\Users\meden>tracert www.iam.ma

Détermination de l’itinéraire vers www.iam.ma.cdn.cloudflare.net [104.18.3.230]
avec un maximum de 30 sauts :

1 GAMemberGw1 [172.20.3.251] rapports : Impossible de joindre le réseau de destination.

Itinéraire déterminé.

C:\Users\meden>tracert www.iam.ma

Détermination de l’itinéraire vers www.iam.ma.cdn.cloudflare.net [104.18.2.230]
avec un maximum de 30 sauts :

1 5 ms 4 ms 4 ms GAMemberGw1 [172.20.3.251] ---------- SGW IP LAN
2 5 ms 6 ms 7 ms 10.10.3.1
3 8 ms 14 ms 8 ms 41.141.160.1
^C
C:\Users\meden>tracert www.iam.ma

Détermination de l’itinéraire vers www.iam.ma.cdn.cloudflare.net [104.18.2.230]
avec un maximum de 30 sauts :

1 GAMemberGw1 [172.20.3.251] rapports : Impossible de joindre le réseau de destination.

Itinéraire déterminé.

Any one can help please?

topic Issue with routing based on ABR/PBR in Firewall and Security Management

Issue with routing based on ABR/PBR