Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Routing processing order (VPN, PBR, Routing Table)

Jump to solution

Hi,

I would like to know the order of processing routes in a security gateway.

 

Main purpose is to apply PBR rules on traffic that decrypted from site to site VPN or from VPN Routing. is this possible?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

View solution in original post

5 Replies
Highlighted
Admin
Admin

Can you elaborate of the use case?

0 Kudos
Highlighted
I'm trying to implement site to site VPN and avoid asymmetric routing.
Let's say we have two sites connected through a GW cluster each site, both managed by the same Security Management.

VPN FWs are connected (via switch) to Core FW (which acts as the default gateway in the network) at each site

VPN FWs are also directly connected to each segment in the network to reduce traffic on Core FW

traffic between VPN domains in this case is going through asymmetric paths and it makes applications go slow (or even not work)

I would like to force traffic between VPN domains to be routed to the Core FW regardless of directly connected subnets in the system routing table

I hope this was clear because I know it's not a usual use-case.
0 Kudos
Highlighted
Admin
Admin

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

View solution in original post

Highlighted
Thank you very much !
0 Kudos
Highlighted
Admin
Admin

Anyhow,

 

Here is a quote from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

The following features/blades are not supported with PBR:

  • IPv6
  • URL Filtering
  • IPS
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS