topic Re: PBR and Source NAT in Firewall and Security Management

PBR and Source NAT

Axel_Winterberg — Thu, 27 Jun 2024 08:27:11 GMT

Hi Guys,

we have a Cluster running on R81.20 with JHF T65.

We want to separate WebEX from other traffic.

So I used the Updatable Object for allowing the Traffic to "WebEX Services".

In NAT-Rules I created a Source NAT:

internal Net --> WebEX Services NAT-IP 10.1.1.1 (hide) ---> original

Rule and NAT is working fine, BUT ....

I have configured PBR to work for Source IP.

BPR-Rule: If Source IP is 10.1.1.1 ---> Route Destination x.x.x.14

Default Route is x.x.x.254 (Loadbalancer)

So I expected, that the traffic, which has been source natted to 10.1.1.1 will use the

PBR Route for x.x.x.14 and NOT my default Route to the loadbalancer.

Unfortunately it still uses the default route!

Is the order for PBR..... first look up for PBR and than make Source NAT ???

Re: PBR and Source NAT

Lesley — Thu, 27 Jun 2024 08:40:16 GMT

And why not use the PBR route based on the real ip instead of NAT pool range?

Re: PBR and Source NAT

Axel_Winterberg — Thu, 27 Jun 2024 08:44:28 GMT

Because, that will match all traffic from the real IPs.
I do source NAT only for Destination WebEX Services.
So original Source with other Destination musst use default route.

Destination WebEX Services are Source natted and should use PBR Route

Re: PBR and Source NAT

Lesley — Thu, 27 Jun 2024 08:49:50 GMT

https://support.checkpoint.com/results/sk/sk163320

Re: PBR and Source NAT

Axel_Winterberg — Thu, 27 Jun 2024 08:52:57 GMT

Yes, i have seen it.

I will try another way to separate the traffic:

Enabling Firewall rule matching in PBR (Application-Based Routing)

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

Currently, this feature is supported to direct Office365 traffic to Microsoft Cloud and is being tested with other updatable SaaS and cloud service objects.

This feature is currently hidden. To enable it, run these commands on the Security Gateway in the Expert mode and reboot:

HostName:0# dbset process:rtgpbrd:runlevel 4

HostName:0# dbset process:rtgpbrd:path /bin

HostName:0# dbset process:rtgpbrd t

HostName:0# dbset :save

HostName:0# reboot

Re: PBR and Source NAT

Axel_Winterberg — Thu, 27 Jun 2024 08:54:23 GMT

I will test this scenario, if I get a maintenance window from the customer.

Re: PBR and Source NAT

Lesley — Thu, 27 Jun 2024 08:54:47 GMT

You mean then this SK correct? https://support.checkpoint.com/results/sk/sk167135

Re: PBR and Source NAT

Axel_Winterberg — Thu, 27 Jun 2024 08:58:09 GMT

Yes, have found sk167135.

Never tried this "hidden" feature. Will give it a try and will post my results.