topic Re: unable to access internal server application via webbrowser after creating the policy based rule in Firewall and Security Management

unable to access internal server application via webbrowser after creating the policy based rules

MaheshCheck — Tue, 17 Sep 2024 10:00:51 GMT

Dear ALl,

from USER VLAN unable to access internal server application via webbrowser after creating the policy based rules for sending the internet traffic 80 & 443 towards

ping ,tracert and telnet are working to that internal server IP but unable to access that application via browser

Please help me anyone.

Re: unable to access internal server application via webbrowser after creating the policy based rule

PhoneBoy — Tue, 17 Sep 2024 21:31:04 GMT

What is the precise behavior in the web browser?
What is shown in the logs?
What version/JHF is the gateway?
What exact configuration was done?
A simple network diagram and screenshots will be helpful.

Re: unable to access internal server application via webbrowser after creating the policy based rule

MaheshCheck — Wed, 18 Sep 2024 08:33:14 GMT

What is the precise behavior in the web browser?-Error The site is took loong to respon
What is shown in the logs?-Attached
What version/JHF is the gateway?-R81.20
What exact configuration was done?-I wanted to inform you that users have started facing issues after configuring policy-based routing for directing internet traffic (services 80 & 443) towards Zscaler via the configured GRE tunnel(This is only internet traffic).Which was worked before configuring policy routes

A simple network diagram and screenshots will be helpful.-attached(BFW & FFW both are checkpoint firewalls)

Re: unable to access internal server application via webbrowser after creating the policy based rule

emmap — Wed, 18 Sep 2024 09:47:09 GMT

Your network diagram doesn't show the Zscalers, do the gateways have an interface in the subnet that your PBR gateways reside in?

Re: unable to access internal server application via webbrowser after creating the policy based rule

MaheshCheck — Wed, 18 Sep 2024 09:51:05 GMT

Thanks for the reply

I have attached screenshot of GRE interface

Re: unable to access internal server application via webbrowser after creating the policy based rule

emmap — Wed, 18 Sep 2024 09:58:35 GMT

Have you done some tcpdumps on the interfaces involved to see the packets to/from the gateway?

Re: unable to access internal server application via webbrowser after creating the policy based rule

MaheshCheck — Wed, 18 Sep 2024 10:03:03 GMT

I did not take any TCP dumps, but since it's local traffic, I believe the PBR rule should not be impacting it.

Re: unable to access internal server application via webbrowser after creating the policy based rule

emmap — Wed, 18 Sep 2024 10:13:17 GMT

The PBR rule will send all port 80/443 traffic to the ZScaler, from what I can tell there. Is that not what you want?

Re: unable to access internal server application via webbrowser after creating the policy based rule

MaheshCheck — Wed, 18 Sep 2024 10:17:15 GMT

From 10.10.20.199 is unable to access 10.13.1.209 on 443 service .Earliar its worked befor policy route configuration and both the subnet are from firewalls only .see attached network diagram

Re: unable to access internal server application via webbrowser after creating the policy based rule

PhoneBoy — Wed, 18 Sep 2024 17:55:05 GMT

Sounds like you need to adjust your policy route to be more specific for the traffic you want to redirect over GRE.
Specify the sources and destinations (not just "any").
Currently, it appears ALL 80/443 traffic will go through this tunnel...which is probably not what you want in this case.

Re: unable to access internal server application via webbrowser after creating the policy based rule

MaheshCheck — Thu, 19 Sep 2024 07:33:20 GMT

We configured above PBR for routing all internet traffic (services 80 & 443) towards Zscaler Via GRE Tunnel

Could you please how do i create PBR for routing the traffic towards 10.13.1.209 as per the below information

The front firewall and back firewall are connected back-to-back in the 10.13.1.0/24 network, with the following details:

Front Firewall IP: 10.13.1.106

Back Firewall IP: 10.13.1.254

Server IP: 10.13.1.209

All three devices are on the same network

attached network diagram for reference

Re: unable to access internal server application via webbrowser after creating the policy based rule

PhoneBoy — Thu, 19 Sep 2024 14:33:08 GMT

To do that, I need to know exactly how the PBR routes that exist are currently configured.

Re: unable to access internal server application via webbrowser after creating the policy based rule

AmirArama — Mon, 30 Sep 2024 17:50:26 GMT

you just need to have upper PBR rules (lower number) to match by destination of the internal private IP ranges you use in your networks, and set the action to be Main table.

that way traffic directed to internal networks will use the main routing table, and other 80/443 that didn't match the upper rules, will go by the rule you currently have.