https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197011#M36762 <P>Hi</P><P>If you implement the Netskope IPsec tunnel option for traffic steering: the documentation states that you can use PBR;</P><P><A href="https://docs.netskope.com/en/netskope-help/traffic-steering/ipsec/" target="_blank">https://docs.netskope.com/en/netskope-help/traffic-steering/ipsec/</A></P><P><EM>"Configure the IPSec tunnels for your vendor’s source identity devices. Use policy-based routing to steer HTTP/HTTPS traffic on ports 80 and 443 through the IPSec tunnels. If you have the Cloud Firewall license, you can also steer non-HTTP(s) traffic like TCP, UDP, and ICMP through the tunnels. To see vendor specific integration guides: IPSec and GRE."</EM></P><P>If you follow the hyperlink for the vendor-specific integration guide Checkpoint isnt listed;</P><P><A href="https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/" target="_blank">https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/</A></P><P>How can we leverage sk167135 to steer http and https traffic through a Netskope tunnel?</P><P>It sounds like an ideal solution for ABR, but it also sounds like PBR can't be used with route based vpns so this would need to be a domain based VPN(?).</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Fri, 03 Nov 2023 09:33:55 GMT LazarusG 2023-11-03T09:33:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197011#M36762 <P>Hi</P><P>If you implement the Netskope IPsec tunnel option for traffic steering: the documentation states that you can use PBR;</P><P><A href="https://docs.netskope.com/en/netskope-help/traffic-steering/ipsec/" target="_blank">https://docs.netskope.com/en/netskope-help/traffic-steering/ipsec/</A></P><P><EM>"Configure the IPSec tunnels for your vendor’s source identity devices. Use policy-based routing to steer HTTP/HTTPS traffic on ports 80 and 443 through the IPSec tunnels. If you have the Cloud Firewall license, you can also steer non-HTTP(s) traffic like TCP, UDP, and ICMP through the tunnels. To see vendor specific integration guides: IPSec and GRE."</EM></P><P>If you follow the hyperlink for the vendor-specific integration guide Checkpoint isnt listed;</P><P><A href="https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/" target="_blank">https://docs.netskope.com/en/netskope-help/integrations-439794/ipsec-and-gre/</A></P><P>How can we leverage sk167135 to steer http and https traffic through a Netskope tunnel?</P><P>It sounds like an ideal solution for ABR, but it also sounds like PBR can't be used with route based vpns so this would need to be a domain based VPN(?).</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Fri, 03 Nov 2023 09:33:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197011#M36762 LazarusG 2023-11-03T09:33:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197039#M36765 <P>Regarding sk167135 and the table therein which version is your gateway?</P> Fri, 03 Nov 2023 13:04:14 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197039#M36765 Chris_Atkinson 2023-11-03T13:04:14Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197046#M36766 <P>Hi</P><P>&nbsp;</P><P>Product Name: SVN Foundation<BR />SVN Foundation Version String: R81.10<BR />SVN Foundation Build Number: 996000057<BR />SVN Foundation Status: OK<BR />OS Name: Gaia<BR />OS Major Version: 3<BR />OS Minor Version: 10<BR />OS Build Number: -<BR />OS SP Major: -<BR />OS SP Minor: -<BR />OS Version Level:<BR />Appliance SN:<BR />Appliance Name: PowerEdge R730<BR />Appliance Manufacturer: Other</P><P>This is Check Point CPinfo Build 914000234 for GAIA<BR />[FW1]<BR />HOTFIX_R81_10_JUMBO_HF_MAIN Take: 94<BR />HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE<BR />HOTFIX_GOT_TPCONF_AUTOUPDATE<BR />HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE</P><P>FW1 build number:<BR />This is Check Point's software version R81.10 - Build 035<BR />kernel: R81.10 - Build 036</P><P>route based vpn with PBR or even application based routing might make sense but from SK167135 I understand VTI and PBR isnt supported?</P><P>&nbsp;</P> Fri, 03 Nov 2023 14:37:50 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197046#M36766 LazarusG 2023-11-03T14:37:50Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197102#M36770 <P>The table suggests should be possible from R80.40 and above with VTI / route based?</P> <P>Whether that's what's required / supported by Netskope I couldn't say.</P> Sat, 04 Nov 2023 13:35:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197102#M36770 Chris_Atkinson 2023-11-04T13:35:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197481#M36891 <P>thanks - I think it would be really nice to use PBR/ABR with route based vpn and maybe unnumbered vti but I found there is a solution published since 2022;<BR /><BR /><A href="https://support.checkpoint.com/results/sk/sk179920" target="_blank">Configuring Site-to-Site VPN between a Check Point Gateway and Netskope</A></P> Wed, 08 Nov 2023 17:01:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-steer-web-browsing-traffic-through-an-ipsec-tunnel-to/m-p/197481#M36891 LazarusG 2023-11-08T17:01:54Z