cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

PBR limitations

Hi Mates,

reading the sk100500 I was very surprised when it described

The following features/blades are not supported with PBR:

  • IPv6
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS

Despite my idea where, routing feature on the gateway musn't influence the security features, at the moment I need to have a PBR on a gateway where MTA is active for the TEX blade.

In the enviroment where I'd like to implement PBR and I have MTA enabled on a R80.10 gateway, the PBR doesn't work.

Does someone face the same scenario ?

Does someone know a workaround/solution?

9 Replies
Admin
Admin

Re: PBR limitations

Locally generated traffic accounts for most of the limitations, including MTA.

It would be useful to hear about your specific use case in a little more detail.

0 Kudos

Re: PBR limitations

the idea shoud be implement a PBR to move internet browsing from a proxy server inside the network throught out a new provider.

I implemented the PBR as I made in the past for other costumers, but it the first time the PBR doesn't work.

I mean running "IP RULE" command in expert mode on the gateway, I see the matches at my PBR.

Dumping the traffic, instead, the packets are forwarded by the route in the main route tables

0 Kudos
Admin
Admin

Re: PBR limitations

Routing configuration changes needs to be done via clish and not using the ip command via expert mode.

Are you using the security gateway as the explicit proxy in this case?

0 Kudos
Highlighted

Re: PBR limitations

the "ip rule" command is described in the SK for debugging PBR on Secure Gateway.

obviously I implemented PBR from clish.

In reply at your question "Are you using the security gateway as the explicit proxy in this case?", the response is NO, I have an external proxy gateway.

0 Kudos
Admin
Admin

Re: PBR limitations

So how is the traffic flowing from your clients to the Internet?

Since proxies are involved, need to understand where the TCP connections are terminating.

And are you using the Transparent proxy option?

0 Kudos

Re: PBR limitations

the browser on client is configured to use explicit proxy and the communication starts from client and terminate at the proxy end.

The proxy, then, initiates the connection to the web site

in other words, running tcpdump on gateway I see as source IP, the IP of proxy server

0 Kudos
Admin
Admin

Re: PBR limitations

So do the packets from your internal proxy server terminate on another proxy server or just go to the Internet sites directly?

Also, my question about proxy mode, which you didn't answer.

The setting is here:

0 Kudos

Re: PBR limitations

Hi Dameon

The internal proxy goes out to the internet directly. No more proxy are in the middle between internal proxy and internet.

In reply CKP proxy configuration, the gateways are not configured as a proxy and the box on the property is not tricked.

0 Kudos
Admin
Admin

Re: PBR limitations

I recommend opening a TAC case to troubleshoot this as, to the best of my knowledge, this should work. 

0 Kudos