This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yeti
Participant
‎2023-11-08 02:57 PM
Jump to solution

PBR Behavior for Gaia WebUI

Without having a separate VRF for Management traffic I have added PBR rules to facilitate this for the Management interface which is connected to a downstream router that does the L3 routing for Internal networks.   It is a simple PBR matching the source IP of the Management interface 10.254.254.61 and the 10.253.253.0/24 destination network where a client would be sourcing Management traffic ( HTTPS,SSH)  The action table is also simple where the route back to the 10.253.253.0/24 destination network has next hop gateway IP 10.254.254.1 of the downstream router that the Checkpoint Management interface is connected to ( out-of-band from normal data traffic ).  Of course there is a more generic route configured on the firewall for the internal private IP subnets pointing to the downstream router on a separate transit interface.  The interesting part is that SSH management traffic gets routed appropriately via the PBR, so traffic ingresses the  Management interface and egresses the Management interface.  However management Gaia Webui 443 traffic does NOT seem to follow the PBR, instead the traffic ingresses the Management interface and egresses the transit interface with the more generic route.  I have verified the traffic flows via fw monitor and disabled/enabled SecureXL just to make sure.  The PBR does not define service ports.  Any ideas?  

R81.10 T110 on 6400 Cluster

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-08 03:06 PM
Jump to solution

"Locally-generated traffic" is a PBR limitation per sk167135.

VSX or MDPS may help achieve the separation that you desire.

CCSM R77/R80/ELITE

View solution in original post

4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-11-08 03:06 PM
Jump to solution

"Locally-generated traffic" is a PBR limitation per sk167135.

VSX or MDPS may help achieve the separation that you desire.

CCSM R77/R80/ELITE
Yeti
Participant
‎2023-11-08 03:11 PM
In response to Chris_Atkinson
Jump to solution

I did review this SK but wasn't sure if this particular scenario is considered as locally generated as the session is sourced outside of the firewall.  Any reasons for only SSH working ?

0 Kudos
Luis_Miguel_Mig
Advisor
‎2023-12-15 03:28 AM
In response to Yeti
Jump to solution

Is there any plan to resolve the Local-generated traffic  limitation?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-12-15 10:55 AM
In response to Luis_Miguel_Mig
Jump to solution

I recommend approaching your local Check Point office with an RFE if this is needed.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events