topic Re: PBR help please in Firewall and Security Management

PBR help please

Nenad_Odic — Mon, 07 Oct 2024 13:29:43 GMT

Dear friends i have never done PBR in Checkpoint so i need help suggestions for this concrete question.

I have read the SK's so i have some kind of understanding.

What baffles me is as you see in attach i have one internal network that should communicate with DC and it does.

Now we got second ISP ISP2 on the drawing, i want to send all internet traffic from that 1.1.1.1 LAN to that ISP2.

all other networks are going to internet to ISP1.

i have in static routes 0.0.0.0 next hop ISP1

and for the communication with DC i have x.x.x.x next hop some internal gw.

everything works .

Now i want to send\receive internet traffic from 1.1.1.1 to ISP2 and not to disrupt communication with DC.

Hope i was clear and simple.

thanks in advance 🙂

Re: PBR help please

PhoneBoy — Mon, 07 Oct 2024 15:40:37 GMT

Create an Action Table specifying ISP2's default route.
Create a policy rule that references this table something like below.
Only the source(s) specified will be routed to ISP2.

Re: PBR help please

Nenad_Odic — Tue, 08 Oct 2024 08:31:46 GMT

Thanks for help,

i have tried this kind of settings but than my communication from 1.1.1.1 to DC is broken .Internet works.

so do i have to have more than one rule or table regarding the dc communication?

Please help

thank you

Re: PBR help please

G_W_Albrecht — Tue, 08 Oct 2024 10:06:05 GMT

I would suggest to contact CP TAC to get this resolved!

Re: PBR help please

PeterL — Tue, 08 Oct 2024 13:01:17 GMT

It's been a while, but for as far as I can remember, PBR takes absolute precedence over all other routes. So if you create a Policy Based Route that sends all traffic from 1.1.1.1 to ISP2, you should add another PBR for the traffic from 1.1.1.1 towards DC as well.

Make sure to take the Hide-NAT for your internet traffic into account as well, as this will most probably differ between ISP1 and ISP2.

Just my two cents...

Re: PBR help please

Martijn — Wed, 09 Oct 2024 08:46:54 GMT

Hi,

You need to create two PBR rules in your PBR configuration and in the order below.

1. Traffic from 1.1.1.1 to DC needs to use the routing table (Main Table via internal gateway)
2. Traffic from 1.1.1.1 to internet needs to use the ISP2 Table.

If traffic goes to the DC, the first rule is hit. All other traffic is going via IPS2.

Maybe more rules are needed to suit your routing requirements.

Good luck.

Martijn

Re: PBR help please

Nenad_Odic — Fri, 11 Oct 2024 13:49:04 GMT

Thanks to you all i have managed to setup this to work .

There were some shenanigan's with the NAT but now it is solved .