Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nbto
Participant
Jump to solution

Host access to Internet by using separate link than all traffic

Hello,

I have small question, im not sure but how I can configure one specific host to access Internet by using different link than all traffic - it's a separate link (like all traffic goes by ISP1 and this host will go through ISP2). I would like to try configure PBR: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Maybe, I should use some static routes ?

Im using R80.10.

Thx!

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor

PBR would be the way so that the host would use that link.

Please ensure that check the Limitations listed on that SK article.

Basically once use more then the Firewall Blade then PBR is not supported.

If need to use the Blades that not supported with PBR then could

 

1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2.  Any other host needing to use ISP-2 would use that Proxy Server as well.  Static Route to Internal Network and then DG the ISP-2 Router

2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2.   Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2

3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.

 

All have certain limitations however with the information provided then the best that can answer.

View solution in original post

0 Kudos
5 Replies
mdjmcnally
Advisor

PBR would be the way so that the host would use that link.

Please ensure that check the Limitations listed on that SK article.

Basically once use more then the Firewall Blade then PBR is not supported.

If need to use the Blades that not supported with PBR then could

 

1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2.  Any other host needing to use ISP-2 would use that Proxy Server as well.  Static Route to Internal Network and then DG the ISP-2 Router

2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2.   Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2

3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.

 

All have certain limitations however with the information provided then the best that can answer.

0 Kudos
Nbto
Participant

Thank you very much for your reply !

Im just planning access to internet via LTE Router form this only one host. Rest via classical ISP. 

I just wanna make CHP FW to redirect traffic from this host to this router. 

So, you this configuring just static route should work ?

 

0 Kudos
mdjmcnally
Advisor

Simply adding a Static Route you would need to know the Destinations that going too.  If is for generic Web Browsing then that won't work.

Hence why suggested that option last of the 3.

 

Policy Based Routing would be needed to do a route based on the Source IP ie the 1 Host however Policy Based Routing is supported only when have the Firewall Blade enabled.    Once start turning other Blades on then PBR no longer supported.

0 Kudos
Nbto
Participant
Okay, also Im wondering about solution number one - with proxy server. U mean HTTP/HTTPS Proxy on CHP GW ?
Im not sure did I understand it correctly, I should:
- Configure on CHP FW HTTP/HTTPS Proxy and redirect traffic to interface which is connected to LTE Router ?
- Add static route to Internal network and default gateway as LTE Router.

But as i understand then whole traffic will goes by LTE Router (ISP 2).
I just want to do it like host with IP 192.168.1.20 will access Internet through LTE Router and whole rest will through ISP.

Thanks!
0 Kudos
mdjmcnally
Advisor

No you would deploy a Proxy Server on a Network BETWEEN the Check Point and the LTE Router.

Something like Squid.

Squid box would have 1 Interface and Default Gateway to the LTE Router and have Static Route pointing back to your Internal Network via the Check Point, presuming you don't NAT the Internal Network behind the Check Point.

Hosts wanting to use the LTE Connection would point there Browser at the Squid.  Squid would connect via the LTE Router as that is it's default gateway

No need to use the Proxy Feature on the Check Point at all.

Is NOT ideal but it does work and keeps everything simple until Check Point provide support for using Policy Based Routing with more then just the Firewall Blade enabled.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events