topic Re: Routing processing order (VPN, PBR, Routing Table) in Firewall and Security Management

Routing processing order (VPN, PBR, Routing Table)

51ce833e-a8ec-4 — Tue, 07 Apr 2020 07:08:46 GMT

Hi,

I would like to know the order of processing routes in a security gateway.

Main purpose is to apply PBR rules on traffic that decrypted from site to site VPN or from VPN Routing. is this possible?

Re: Routing processing order (VPN, PBR, Routing Table)

_Val_ — Tue, 07 Apr 2020 07:49:24 GMT

Can you elaborate of the use case?

Re: Routing processing order (VPN, PBR, Routing Table)

_Val_ — Tue, 07 Apr 2020 07:52:17 GMT

Anyhow,

Here is a quote from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100500

The following features/blades are not supported with PBR:

IPv6
URL Filtering
IPS
Locally-generated traffic
Security Servers
Data Loss Prevention (DLP) blade
VPN Domain Based
VPN Route Based
Anti-Spam blade
Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
ISP Redundancy
The following applications (which use Check Point Active Streaming [CPAS]):
- VoIP (H323, SIP, Skinny, etc.)
- HTTPS Inspection
- HTTP Header Spoofing
- HTTP Proxy
- IMAP in IPS

Re: Routing processing order (VPN, PBR, Routing Table)

51ce833e-a8ec-4 — Tue, 07 Apr 2020 08:17:07 GMT

I'm trying to implement site to site VPN and avoid asymmetric routing.
Let's say we have two sites connected through a GW cluster each site, both managed by the same Security Management.

VPN FWs are connected (via switch) to Core FW (which acts as the default gateway in the network) at each site

VPN FWs are also directly connected to each segment in the network to reduce traffic on Core FW

traffic between VPN domains in this case is going through asymmetric paths and it makes applications go slow (or even not work)

I would like to force traffic between VPN domains to be routed to the Core FW regardless of directly connected subnets in the system routing table

I hope this was clear because I know it's not a usual use-case.

Re: Routing processing order (VPN, PBR, Routing Table)

_Val_ — Tue, 07 Apr 2020 08:28:08 GMT

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX.

Re: Routing processing order (VPN, PBR, Routing Table)

51ce833e-a8ec-4 — Tue, 07 Apr 2020 08:30:25 GMT

Thank you very much !

Re: Routing processing order (VPN, PBR, Routing Table)

r31N3r — Fri, 02 Oct 2020 10:39:46 GMT

Hello Val,

do the restrictions to PBR just hit the networks/IP-Range/IF touched by PBR or have these restrictions impact to the whole gateway?

Re: Routing processing order (VPN, PBR, Routing Table)

_Val_ — Fri, 02 Oct 2020 12:03:53 GMT

Whole GW