This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Mike_T
Participant
‎2018-10-03 11:32 PM
Jump to solution

Route specific subnet out second ISP interface

Hi,

Need some assistance setting up policy based routing or a static route. Basically just looking to route traffic from one VLAN out a secondary ISP link. Reading through the Policy based routing article SK100500 this does not give me the scenario. There is no way to specific "internet" as a destination.

Source: 192.168.178.x  -  Destination: Internet  -  Gateway - ISP 2 (eth1)

See my mspaint diagram below. Can anyone advise how i would route this traffic our my second ISP link?

Any advice/assistance would be great!

Cheers,

Called checkpoint support, they didnt really understand what i meant, even after i drew them a basic diagram in paint.

0 Kudos
1 Solution

Accepted Solutions
KennyManrique
Advisor
‎2018-10-04 07:41 AM
Jump to solution

Hi Mike,


PBR is based on IP and Ports, there is no Internet Object as on regular policy.

To route VLAN178 through ISP2 and assuming ISP1 is configured as your default route, yo have to do the following:

1. Create a new PBR table of type Default Route that points to ISP2 next hop address.

2. Add a new PBR rule with source Inbound Interface of VLAN178 (I'm assuming is locally conected on a subinterface ethx.178) who uses the PBR table created earlier. On this case, you can't solely use the segment 192.168.178.X/XX since the Firewall probably has an IP address on this segment and could derive on unwanted behavior.


Please note the following:

- Hide behind Gateway NAT or Hide Behind IP (on ISP2 range) must be configured for VLAN178's Network Object to allow traffic leave the ISP2 interface with correct IP address. If you use Hide behind IP, Proxy ARP may be neccesary

- Since PBR is processed before regular Routing Table, if you follow the two steps mentioned above, all traffic from VLAN178 will be redirected to ISP2 link no matter which is the final destination. If you want to route to local networks, you will have to create a new PBR table including those you need to reach locally and specify the output interface (like a copy of your routing table); after that you need to create a PBR rule with lower priority pointing to this table.

- There is no automatic failover, so if ISP2 is down on some place along the path; all traffic still be sent to this link.

- If you have ISP Redundancy configured, PBR is bypassed.

Regards.

View solution in original post

6 Replies
KennyManrique
Advisor
‎2018-10-04 07:41 AM
Jump to solution

Hi Mike,


PBR is based on IP and Ports, there is no Internet Object as on regular policy.

To route VLAN178 through ISP2 and assuming ISP1 is configured as your default route, yo have to do the following:

1. Create a new PBR table of type Default Route that points to ISP2 next hop address.

2. Add a new PBR rule with source Inbound Interface of VLAN178 (I'm assuming is locally conected on a subinterface ethx.178) who uses the PBR table created earlier. On this case, you can't solely use the segment 192.168.178.X/XX since the Firewall probably has an IP address on this segment and could derive on unwanted behavior.


Please note the following:

- Hide behind Gateway NAT or Hide Behind IP (on ISP2 range) must be configured for VLAN178's Network Object to allow traffic leave the ISP2 interface with correct IP address. If you use Hide behind IP, Proxy ARP may be neccesary

- Since PBR is processed before regular Routing Table, if you follow the two steps mentioned above, all traffic from VLAN178 will be redirected to ISP2 link no matter which is the final destination. If you want to route to local networks, you will have to create a new PBR table including those you need to reach locally and specify the output interface (like a copy of your routing table); after that you need to create a PBR rule with lower priority pointing to this table.

- There is no automatic failover, so if ISP2 is down on some place along the path; all traffic still be sent to this link.

- If you have ISP Redundancy configured, PBR is bypassed.

Regards.

Mike_T
Participant
‎2018-10-07 02:38 PM
In response to KennyManrique
Jump to solution

Wow! , thanks for the detailed response. Didn't expect that!

Will be giving this a shot today. Cheers

0 Kudos
Mike_T
Participant
‎2018-10-08 02:36 PM
In response to KennyManrique
Jump to solution

Just reporting back that this worked perfectly. not sure why checkpoint support couldn't have pointed me in this direction. Cheers.

KennyManrique
Advisor
‎2018-10-09 07:43 AM
In response to Mike_T
Jump to solution

It's great to know that, Mike!

We're here to help.

Regards.

0 Kudos
Freco_Wong
Participant
‎2020-04-26 07:48 PM
In response to KennyManrique
Jump to solution

Hello Kenny,

 

My situation is same and used PBR with default route too. Except the copy of routes from original routing table, may I know is there require to add route for directly attached networks? Thanks~

 

Regards,

Freco

Preview file
46 KB
0 Kudos
KennyManrique
Advisor
‎2020-05-20 07:07 PM
In response to Freco_Wong
Jump to solution

Hi, sorry for the late answer, I wasnt available on the community for a while.

When you're using default route statement, all traffic goes through that interface. So is neccesary to add each directly connected network entry to a PBR Rule/Table before the default route entry.

If I remember correctly, without the additional network entries, you're able to reach all firewall interfaces on any net (as long you have firewall permissions) but not beyond that.

Regards.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events