cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

ISP Redundancy & Policy Based Routing

Hi,

I'm wondering if someone knows why ISP Redundancy & PBR are not compatible ?

We did some tests and arrive at the conclusion that for unknown reason some traffic is at the end not sent to the correct gateway...

Does someone know the reason why it's failing? I'm not asking a confirmation or RFE but just trying to understand the root cause...

Beside is there any plan to support both features at the same time?

Thank you

Best regards

Nicolas

Tags (2)
11 Replies

Re: ISP Redundancy & Policy Based Routing

it is that you want to achieve?

Configuring ISP Redundancy so that certain traffic uses specific ISP Link 

Last time I have checked isp redundancy and pbr were not supported togheter but not 100% sure on that maybe someone from check point could confirm or denied it

0 Kudos

Re: ISP Redundancy & Policy Based Routing

Hi,

No in fact we are already using ISP redundancy to load-balance traffic on 2 ISP...

Beside we would like to force Guests traffic (specific IP source range) to another line... That's why we tried to combine ISP redundancy + PBR even if we were aware that both are not supported

Today we are trying to understand why both feature are mutually exclusive

0 Kudos

Re: ISP Redundancy & Policy Based Routing

basically is what is stated in the sk you can force a subnet to use a link

0 Kudos

Re: ISP Redundancy & Policy Based Routing

This limitation is stated clearly in sk100500: Policy-Based Routing (PBR) on Gaia OS:

The following features/blades are not supported with PBR:

  • IPv6
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS
0 Kudos

Re: ISP Redundancy & Policy Based Routing

Why both features are mutually exclusive is rather obvious to me - PBR routes traffic based on rules, ISP load sharing routes it based on the current load...

0 Kudos

Re: ISP Redundancy & Policy Based Routing

Hi,

Yes that's really strange as we don't see any link between both features if we only focus our rules on Source IP address...

0 Kudos

Re: ISP Redundancy & Policy Based Routing

You have to understand that the two work at different levels: PBR is defined in OS (eg GAiA) as Advanced Routing, while ISP Redundancy / LS is handled by the FW blade.

0 Kudos

Re: ISP Redundancy & Policy Based Routing

Günther, fully correct but still difficult to understand why it's even ISP or PBR...

For 2 independent subnets that shouldn't be a problem but I confirm it's not working...

We have an open discussion with TAC and if a understable reason is received I will share it here

0 Kudos

Re: ISP Redundancy & Policy Based Routing

Too much limitations on network features. PBR is very important feature using dual ISP.

But it doesn't support......

0 Kudos

Re: ISP Redundancy & Policy Based Routing

You can always issue an RFE in Products and Feature Suggestions.

Re: ISP Redundancy & Policy Based Routing

I have two ISP link and use PBR for separation.

First network SRC: 192.168.100.x go to ISP1

Second network SRC: 192.168.101.x go to ISP2

I want that host in 101.x go to internet over ISP1 when ISP2 is broken.

I set on PBR for ISP2 table two gateway (Fisrt gateway ISP2 with priority 1, second ISP1 with priority 2) but cant switch automatically.

Can I make this over PBR, or I must use ISP Redundancy , or combination PBR and Redundancy? 

0 Kudos