Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

Hi All -
We are under progress to deploy a new solution,
Where we have two ISP and we are configuring ISP Redundancy so that certain (http &https) traffic uses specific ISP Link with sk32225
We will configure four interface configure on my firewall two external interface, one inside network and one DMZ network.
when my user will access any http and https traffic from internet they will pass throgh ISP1 and rest of the traffic will pass through with ISP-2 which is mention is Sk32225
we have some of Application in DMZ which are running on HTTPS and HTTP also.
i just want to confirm, if we will apply PBR for internal user to access DMZ subent with Https & Http services, they will reach DMZ subnet. will it work or not
I am attaching a diagram for your reference.Diagram for ISP-Load balancer.png

10 Replies
Highlighted
Gold

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

Abhishek,

your diagramm isn't readable, it's to small.

Can please more explain your need. Why do you need PBR to reching the DMZ network from internal ?

Normally the DMZ is reachable from internal via normal routing, ISP redundancy hould not have an affect on this.

Wolfgang

Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration


Thanks for your update, I am again attaching my proposed diagram.

I am explaining my requirement again, we have zsclaler cloud proxy in my environment. 1st External interface connected to CISCO ASR router and we created GRE tunnel between CISCO ASR and zscaler, and 2nd interface connected to 2nd ISP, we applied PAC file for all users, users traffic pass through GRE tunnel.
and we have multiple server in Internal network and DMZ subnet, Server don’t have PAC file. If anyone login to any server and accessing internet they will pass through ISP-2 (without any security policy), and we want to pass specific traffic Https &http through ISP-1, which we can achieve with sk32225.

but my next requirement is we have one DMZ subnet, from internal to DMZ and DMZ to internal communication will require with port http & https.

which we can achieve through PBR, but my question is if we change the table.def file and allow specific traffic from ISP-1, in that case if my internal user will try to access DMZ server, will it take table.def configuration or it will work on PBR and traffic we will reach DMZ and vice versa?
Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

Using ISP Redundancy and the PBR feature together is not supported, see sk100500: Policy-Based Routing (PBR) on Gaia OS.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted
Gold

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

As far as I can remember, with R80.30 it is supported.

Wolfgang
0 Kudos
Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

Can't seem to find any reference to support for ISP Redundancy w/ PBR being added in R80.30 vanilla or via Jumbo HFA and there seem to be two separate SK's saying it is not supported.

 

Book "Max Power 2020: Check Point Firewall Performance Optimization" Third Edition
Now Available at www.maxpowerfirewalls.com
0 Kudos
Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

thanks for your update, but if we are applying PBR for my requirement, we need to create more than 200 PBR, which is difficult to manage. thats why i planing to edit Table.def file for sending perticular traffic from ISP-1 one and rest of the traffic we will send through ISP-2.

if we have any solution as per my requirement please suggest me.

 

Regards

Abhishek

0 Kudos
Highlighted
Silver

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

I don't see why you need PBR for getting from Internal to DMZ or DMZ to Internal.

 

In order to send traffic over specific ISP-1 link then you would be adding 80 and 443 as HTTP and HTTPS to the no_misp_services_ports.

This will only affect traffic going out over the ISP Redundancy Links.     

 

So this will NOT affect traffic from the DMZ to Internal or the Internal to the DMZ as they aren't involving the ISP Redundancy Interfaces.

As such I don't see what you need PBR for here.

Highlighted
Gold

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

I found from "From what's new R80.30"

Advanced Routing

  • Multihop Ping and Multiple ISPs in Policy-Based Routing
  • Multihop Ping in Static Routes
  • BFD in Static Routes
  • VSX VSID in Netflow

 

Question is, does the first line meaning ISP redundancy => "Multiple ISPs" ?

Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

As far as I tested Multi Hop PBR is a great tool but it kinds of "replace" the active/passive ISP redundancy mode, not the active/active mode.

I don't think that you can use ISP Redundancy & PBR together in 80.30 with beautiful results since the last routing decision that matters is the one from ISP Redundancy, at least until R80.10.

In new deployments I like to use multi hop instead of ISP Redundancy in case of active / passive since you can add many ISPs

Regards,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Highlighted

Re: ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

oho gr8 news do you have any document or any usecase for that?