Re: ISP Redundancy & Policy Based Routing

CP-NDA · ‎2018-10-03

Hi,

I'm wondering if someone knows why ISP Redundancy & PBR are not compatible ?

We did some tests and arrive at the conclusion that for unknown reason some traffic is at the end not sent to the correct gateway...

Does someone know the reason why it's failing? I'm not asking a confirmation or RFE but just trying to understand the root cause...

Beside is there any plan to support both features at the same time?

Thank you

Best regards

Nicolas

Marco_Valenti · ‎2018-10-03

it is that you want to achieve?

Configuring ISP Redundancy so that certain traffic uses specific ISP Link

Last time I have checked isp redundancy and pbr were not supported togheter but not 100% sure on that maybe someone from check point could confirm or denied it

CP-NDA · ‎2018-10-03

Hi,

No in fact we are already using ISP redundancy to load-balance traffic on 2 ISP...

Beside we would like to force Guests traffic (specific IP source range) to another line... That's why we tried to combine ISP redundancy + PBR even if we were aware that both are not supported

Today we are trying to understand why both feature are mutually exclusive

Marco_Valenti · ‎2018-10-03

basically is what is stated in the sk you can force a subnet to use a link

G_W_Albrecht · ‎2018-10-03

This limitation is stated clearly in sk100500: Policy-Based Routing (PBR) on Gaia OS:

The following features/blades are not supported with PBR:

IPv6
Locally-generated traffic
Security Servers
Data Loss Prevention (DLP) blade
VPN Domain Based
VPN Route Based
Anti-Spam blade
Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
ISP Redundancy
The following applications (which use Check Point Active Streaming [CPAS]):
- VoIP (H323, SIP, Skinny, etc.)
- HTTPS Inspection
- HTTP Header Spoofing
- HTTP Proxy
- IMAP in IPS

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

G_W_Albrecht · ‎2018-10-03

Why both features are mutually exclusive is rather obvious to me - PBR routes traffic based on rules, ISP load sharing routes it based on the current load...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

CP-NDA · ‎2018-10-03

Hi,

Yes that's really strange as we don't see any link between both features if we only focus our rules on Source IP address...

G_W_Albrecht · ‎2018-10-04

You have to understand that the two work at different levels: PBR is defined in OS (eg GAiA) as Advanced Routing, while ISP Redundancy / LS is handled by the FW blade.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

CP-NDA · ‎2018-10-04

Günther, fully correct but still difficult to understand why it's even ISP or PBR...

For 2 independent subnets that shouldn't be a problem but I confirm it's not working...

We have an open discussion with TAC and if a understable reason is received I will share it here

Gomboragchaa · ‎2018-10-04

Too much limitations on network features. PBR is very important feature using dual ISP.

But it doesn't support......

G_W_Albrecht · ‎2018-10-04

You can always issue an RFE in Products and Feature Suggestions.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Rade_Bebek · ‎2018-12-12

I have two ISP link and use PBR for separation.

First network SRC: 192.168.100.x go to ISP1

Second network SRC: 192.168.101.x go to ISP2

I want that host in 101.x go to internet over ISP1 when ISP2 is broken.

I set on PBR for ISP2 table two gateway (Fisrt gateway ISP2 with priority 1, second ISP1 with priority 2) but cant switch automatically.

Can I make this over PBR, or I must use ISP Redundancy , or combination PBR and Redundancy?

Are you a member of CheckMates?

ISP Redundancy & Policy Based Routing