topic Re: PBR road-map and URLF/Identity requirements (policy-based routing) in Firewall and Security Management

PBR road-map and URLF/Identity requirements (policy-based routing)

Garrett_DirSec — Wed, 02 Nov 2022 15:14:14 GMT

Hello-- larger existing CP customer testing Policy-based Routing (aka "PBR") and disappointed on current incantation.

Based on sk100500, it appears that PBR operates at layer4 and currently can't make any decisions based on upper layers -- nor can higher level blades features be applied to traffic AFTER a PBR decision.

Customer would like to do the following. Both not possible today.

make PBR decision based on identity
apply URLF policy to traffic following PBR decision.

Any road-map, work-arounds, or insight would be appreciated. Thanks -GA

reference Policy-based Routing -- SK100500

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100500

excerpts:

Routing and Firewall Processing

It is important to note that routing tables, including PBR tables, are checked after firewall processing is complete.
This means that in situations such as NAT, routing rules are checked against the original source address (refer to sk101562).

The following features/blades are not supported with PBR:

<basically... everything>

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

Wolfgang — Wed, 02 Nov 2022 15:30:53 GMT

@Garrett_DirSec do you know Policy-Based Routing and Application-Based Routing in Gaia.

New features allowing PBR based on applications.

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

Garrett_DirSec — Wed, 02 Nov 2022 15:43:40 GMT

Hello @Wolfgang -- thanks for your msg and post. I was not aware of this SK. I will post feedback on Sk100500 to reference the newer sk167135.

While the addition of application to decision logic, this doesn't address customer requirements to operate based on identity and apply URLF to traffic post-decision.

Sincere thanks for the insight. I hope it comes in handy in future. -GA

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

rdevarak — Thu, 03 Nov 2022 05:07:42 GMT

Hello @Wolfgang - thanks for pointing out the right sk (sk167135).

@Garrett_DirSec : PBR/ABR does support identity rules. Please contact me directly for further help.

-Raghu

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

Wolfgang — Thu, 03 Nov 2022 06:56:36 GMT

In addition to @rdevarak snip from sk167135 for support of identities:

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

But as you mentioned, applying rules after PBR will be problematic.

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

rdevarak — Thu, 03 Nov 2022 07:21:17 GMT

It can only be done in hairpin topology (LIG - Legal Interception Gateway) with another peer FW. May be with VSX but it is an interesting scenario to explore it further.

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

emmap — Thu, 03 Nov 2022 07:27:56 GMT

Out of curiosity, what's the use-case for performing security decisions after the outbound routing?

Re: PBR road-map and URLF/Identity requirements (policy-based routing)

Garrett_DirSec — Thu, 03 Nov 2022 22:25:19 GMT

Hello @emmap -- great question.

customer has various use-case scenarios where one of three uplinks would be used.

when the traffic is from end-user, the requirement is to enforce URLF on traffic, regardless of PBR/PBF decision.

thanks -GA