This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Jesus_Vladimir_
Participant
‎2017-11-27 07:31 AM
Jump to solution

PBR With Multiple Tracking

Hi, how to configure PBR for redundancy automatic,i try Priority but not functioning.

Regards

1 Solution

Accepted Solutions
FedericoMeiners
Advisor
‎2019-09-18 06:28 AM
In response to quanglnh
Jump to solution

@quanglnh You can do this with Multi Hop PBR from 80.30 onwards

____________
https://www.linkedin.com/in/federicomeiners/

View solution in original post

0 Kudos
21 Replies
PhoneBoy
Admin
Admin
‎2017-11-27 11:11 PM
Jump to solution

A network diagram of what you're trying to do would be helpful.

0 Kudos
Marco_Valenti
Advisor
‎2017-11-28 02:53 AM
Jump to solution

if you want to use two external connectivity and have an automatic backup if you loose one of them ( if I understand correctly) probably you need to implement ISP redundancy , policy base routing wont work in that way

0 Kudos
Jesus_Vladimir_
Participant
‎2017-11-28 07:06 AM
Jump to solution

this is the diagram.

User A connect to internet to ISP A

User B connect to internet to ISP B

User C connect to internet to ISP C

When ISP A is down automatic failover to ISP B or ISP C configured with priority is not functioning.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-11-28 08:26 AM
In response to Jesus_Vladimir_
Jump to solution

How would the gateway determine ISP A is down?

To do that, you'd need to have a reachability test (such as Ping)--something our PBR doesn't currently support.

0 Kudos
Jesus_Vladimir_
Participant
‎2017-11-28 08:52 AM
In response to PhoneBoy
Jump to solution

yes i understand, there is developed for coming soon pbr support this ?

0 Kudos
PhoneBoy
Admin
Admin
‎2017-12-01 10:22 PM
In response to Jesus_Vladimir_
Jump to solution

I believe it's planned, yes, but don't have an exact timeframe.

Jesus_Vladimir_
Participant
‎2018-07-06 02:31 PM
In response to PhoneBoy
Jump to solution

some date estimated for this ?

0 Kudos
PhoneBoy
Admin
Admin
‎2018-07-08 01:43 AM
In response to Jesus_Vladimir_
Jump to solution

It appears there is a customer-specific release that offers this functionality.

Please check with your Check Point office.

0 Kudos
Jesus_Vladimir_
Participant
‎2018-08-29 08:13 AM
In response to PhoneBoy
Jump to solution

i question for the specific release with Check Point Office and respond not exist this.

Regards

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-29 08:51 AM
In response to Jesus_Vladimir_
Jump to solution

Contact me privately with who you're working with.

I'll connect the dots on the backend.

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2017-11-28 03:53 PM
In response to PhoneBoy
Jump to solution

A little-known feature of ClusterXL may be able to help here; ClusterXL can be configured to test connectivity to upstream IP addresses with ping, and initiate a failover based on loss of reachability to the pinged hosts.  There could be a very different Gaia PBR configuration on the standby member that takes over as a result.  See:

sk35780: How to configure $FWDIR/bin/clusterXL_monitor_ips script to run automatically on Gaia / Sec...

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
Vladimir
Champion
Champion
‎2017-11-29 01:02 PM
In response to Timothy_Hall
Jump to solution

Tim,

According to sk100500:

PBR is supported in the following clusters:

  • ClusterXL High Availability
  • ClusterXL Load Sharing Unicast
  • ClusterXL Load Sharing Multicast
  • VRRP

Note:
PBR must be configured on each of the cluster members individually, and the configuration must be identical.

Can you shed some light if the above statement is correct or is it negated by the sk35780?

Timothy_Hall
Legend Legend
Legend
‎2017-11-29 03:01 PM
In response to Vladimir
Jump to solution

I'd say the later SK is probably more correct and the PBR configs should match.  I don't think ClusterXL will be able to actually tell if the PBR configuration is different between the cluster members (same way it can't tell if regular IP routing is different between them), but it may cause issues with how connections are represented between the members via state sync.  Trying a different PBR config between different cluster members will probably work but will most certainly not be supported.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Tolchenov_Maksi
Explorer
‎2018-08-13 02:03 AM
Jump to solution

Hello! I have the same question! Is there any workaround for now? There past one year since first question..... How to achieve same functionality as on ip sla + track on cisco in PBR?????

PhoneBoy
Admin
Admin
‎2018-08-13 07:57 PM
In response to Tolchenov_Maksi
Jump to solution

Please check with your local office about the customer-specific release I mentioned.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-03 04:44 PM
Jump to solution

PBR with multiple ISPs is now supported from R80.30.
This is recommended versus using the customer releases previously mentioned.
0 Kudos
quanglnh
Participant
‎2019-09-18 01:38 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

 

I have a situation that need to use tracking host too. Let say from my Check Point Firewall, i have 2 connection to remote site. 1 is primary and 1 is backup. I want to track if primary connection are down (track by ping or something else) all connection to remote site will automaticly change to thê backup connection. And if primary connection up again, then all connections automaticly move back to primary connection. Can we do that with R80.10 or i have to upgrade to R80.30 ?

0 Kudos
FedericoMeiners
Advisor
‎2019-09-18 06:28 AM
In response to quanglnh
Jump to solution

@quanglnh You can do this with Multi Hop PBR from 80.30 onwards

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
quanglnh
Participant
‎2019-09-22 09:03 AM
In response to FedericoMeiners
Jump to solution

thanks Federico Meiners, I will check on this

0 Kudos
RBS56505
Participant
‎2021-10-25 09:08 AM
In response to FedericoMeiners
Jump to solution

Hello Federico,

How would NAT work in such situation ?

Can we have 2 Hide NAT configured if we have 2 ISP links ?

And let PBR use corresponding external interface IP for NAT'g ?

 

0 Kudos
jesusarteria
Participant
‎2024-05-30 10:57 AM
In response to FedericoMeiners
Jump to solution

Hi Federico,

 

Do you have some scripts for example?

 

Regards

Yisus

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top