https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197527#M33091 <P>"Locally-generated traffic" is a PBR limitation per&nbsp;<SPAN>sk167135.</SPAN></P> <P><SPAN>VSX or MDPS may help achieve the separation that you desire.</SPAN></P> Wed, 08 Nov 2023 23:06:09 GMT Chris_Atkinson 2023-11-08T23:06:09Z https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197522#M33090 <P>Without having a separate VRF for Management traffic I have added PBR rules to facilitate this for the Management interface which is connected to a downstream router that does the L3 routing for Internal networks.&nbsp; &nbsp;It is a simple PBR matching the source IP of the Management interface 10.254.254.61 and the 10.253.253.0/24 destination network where a client would be sourcing Management traffic ( HTTPS,SSH)&nbsp; The action table is also simple where the route back to the 10.253.253.0/24 destination network has next hop gateway IP 10.254.254.1 of the downstream router that the Checkpoint Management interface is connected to ( out-of-band from normal data traffic ).&nbsp; Of course there is a more generic route configured on the firewall for the internal private IP subnets pointing to the downstream router on a separate transit interface.&nbsp; The interesting part is that SSH management traffic gets routed appropriately via the PBR, so traffic ingresses the&nbsp; Management interface and egresses the Management interface.&nbsp; However management Gaia Webui 443 traffic does NOT seem to follow the PBR, instead the traffic ingresses the Management interface and egresses the transit interface with the more generic route.&nbsp; I have verified the traffic flows via fw monitor and disabled/enabled SecureXL just to make sure.&nbsp; The PBR does not define service ports.&nbsp; Any ideas?&nbsp;&nbsp;</P><P>R81.10 T110 on 6400 Cluster</P> Wed, 08 Nov 2023 23:04:51 GMT https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197522#M33090 Yeti 2023-11-08T23:04:51Z https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197527#M33091 <P>"Locally-generated traffic" is a PBR limitation per&nbsp;<SPAN>sk167135.</SPAN></P> <P><SPAN>VSX or MDPS may help achieve the separation that you desire.</SPAN></P> Wed, 08 Nov 2023 23:06:09 GMT https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197527#M33091 Chris_Atkinson 2023-11-08T23:06:09Z https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197528#M33092 <P>I did review this SK but wasn't sure if this particular scenario is considered as locally generated as the session is sourced outside of the firewall.&nbsp; Any reasons for only SSH working ?</P> Wed, 08 Nov 2023 23:11:24 GMT https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/197528#M33092 Yeti 2023-11-08T23:11:24Z https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/200716#M33478 <P>Is there any plan to resolve the Local-generated traffic&nbsp; limitation?</P> Fri, 15 Dec 2023 11:28:31 GMT https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/200716#M33478 Luis_Miguel_Mig 2023-12-15T11:28:31Z https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/200768#M33479 <P>I recommend approaching your local Check Point office with an RFE if this is needed.</P> Fri, 15 Dec 2023 18:55:57 GMT https://community.checkpoint.com/t5/General-Topics/PBR-Behavior-for-Gaia-WebUI/m-p/200768#M33479 PhoneBoy 2023-12-15T18:55:57Z