This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amir_Arama
Advisor
‎2021-12-02 12:54 AM

can i bypass PBR for internal networks

Hi there,

i'm pretty sure it's not possible, but i'll ask anyway

here is the scenario.

we have an sdwan in dmz behind the FW.

the fw have ospf vs the sdwan so it gets updated dynamically on the availability of remote networks, and also have bgp against other fw's with bgp as a backup path.

now i want to create a pbr rule that if users goes to default route (intetnet surf) then the next hop will be the sdwan, so internet traffic will be controlled by the sdwan only.

the thing is if i do that, than routes to internal networks will not go to dynamic routes from that source lan, they will stuck at pbr where they are the mached.

is there anyway to tell the pbr that if the dst is internal network than bypass to kernel routes, and if it isn't then take the default route from pbr.

or any other way.

thanks

0 Kudos
3 Replies
Wolfgang
Authority
Authority
‎2021-12-02 01:44 AM

PBR rules are checked before all other routing services (static or dynamic routes). Only if your PBR filter does not match the packets are forwarded to the other routing daemons for processing.

0 Kudos
Amir_Arama
Advisor
‎2021-12-02 03:22 AM
In response to Wolfgang

i know this how it works formally. this is why i asked if there is a way to make a bypass somehow in my scenario. i guess there isn't.

thx

0 Kudos
Wolfgang
Authority
Authority
‎2021-12-02 05:11 AM
In response to Amir_Arama

As an idea....

Try to define your PBR rules not only with filters for source use ports too if possible.

Another way ... create PBR rules for your internal networks as destination and use more then one gateway as next hops. Then you can define priorities for this PBR routes and you can use "monitored IPs" to check the availability of links for these routes. With this you get something something like a "dynamic" routing for the PBR rules.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events