topic Re: PBR Limitations question in Firewall and Security Management

PBR Limitations question

Roberto_Cardozo — Fri, 20 Mar 2020 04:51:18 GMT

Hi everyone.

I have a question regarding the use of PBR and their limitations

According to sk100500, the documented limitations regarding the use of PBR, include Domain Based VPN.

I currently have a client that has two ISPs and two LAN network segments (LAN1 and LAN2); the customer wants to segment their traffic, so LAN1 uses only ISP1 and LAN2 uses only ISP2. However, LAN1 using ISP1 has multiple s2s VPNs (Domain based) configured.

The question is, if I only use PBR to route LAN2 traffic through ISP2, will the VPNs established on LAN1 through ISP1 be affected?, or will PBR only affects the traffic in which it is applied? (in this case, we are attempting to apply PBR only through LAN2-->ISP2)

Extending the context of the question, PBR limitations only applies in traffic in which PBR rules are applied? or affects the entire traffic passing through the firewall?

Many thanks in advance.

Best regards.

Re: PBR Limitations question

Roberto_Cardozo — Fri, 20 Mar 2020 05:06:24 GMT

Hi again

By the way, another question is: what exactly is the limitation "locally-generated" traffic referring to?

Thank you again

Re: PBR Limitations question

PhoneBoy — Sat, 21 Mar 2020 07:24:54 GMT

The problem is that VPN Routing and regular routing somewhat conflict with one another as they operate at a similar area in the packet flow and the behavior may not be as expected.
Possible it still works, but it's an unsupported configuration.

Locally generated traffic refers to traffic that comes from the gateway itself.

Re: PBR Limitations question

Maarten_Sjouw — Sat, 21 Mar 2020 08:11:48 GMT

When you make sure that for the VPN remote peers the routing is properly set to ISP1, this should work just fine.
The point is that routing for the encrypted traffic will follow the route for the remote peer and cannot be rerouted by PBR.