This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Pedro_Espindola
Advisor
‎2024-06-28 11:25 AM
Jump to solution

SD-WAN and symmetric return of packets from inbound connections

In the list of limitations of SD-WAN, we see this:

"PMTR-104986: For inbound connections from the internet, SD-WAN does not support the symmetric return of packets through the same interface on which the connection was originally received, in case of multiple ISPs.

The return will be determined based on the OS routes."

That seems like a very basic limitation. and a step back since it is even supported in ISP redundancy, which was already a very archaic feature.

This means that differently from IPS redundancy, which returns packets through the same interface the connection was received, SD-WAN will route traffic through the prefered OS route. Thus, you cannot have a server published through more than one isp link and one inbound NAT rule for each isp link, it will only work through one link.

The methods I found to deal with this are:

  1. Lock the server through an ISP. No redundancy.
  2. Having 2 IP addresses configured in the server and NAT rules and PBR configured for each address. (A lot of extra work)
  3. Having 2 servers running this service.  (Even more extra work!)

I'm interested to know how other people in this forum are dealing with this. Does everyone have load balancers for inbound connections? Am I missing something?

2 Solutions

Accepted Solutions
AmirArama
Employee
Employee
‎2024-06-29 03:42 AM
Jump to solution

Hi,

Indeed, this is basic limitation.

We already have the fix for it. So the return (s2c) packets will be routed back from the same ISP the connection (c2s) originally came through.

it should be merged into JHF that will be released in the next month or so for GAIA. 

As a temp workaround:

If you need the redundancy to the server works as active/backup, you can just set two default routes on your GAIA with different priorities, with "IP Reachability Detection" configured (if you want to probe the line. Otherwise just with "ping on"). So once main line is dead, the active route would be the second ISP, and then the server would be accesible through it. 

In case you need it to be accesible in parallel via multiple ISPs, i afraid only your PBR idea can work.

 

Let me know if you need further assistance,

 

View solution in original post

(1)
AmirArama
Employee
Employee
‎2024-08-21 02:55 AM
In response to Pedro_Espindola
Jump to solution

i would like to update that the mentioned feature is now available on GAIA GWs from R81.20 JHF 79 that was released.

in order to enable this feature after installing this JHF:

until we will make it enabled by default, it's needed to edit (or create) the file: $FWDIR/conf/sdwan/sdwan_steering_params.json 

and add this line to the file:

{ "sdw_default_symmetric_return_value" : true }

then restart the steering process:
sdwan_steering_stop;sdwan_steering_start

 

Thanks

View solution in original post

8 Replies
AmirArama
Employee
Employee
‎2024-06-29 03:42 AM
Jump to solution

Hi,

Indeed, this is basic limitation.

We already have the fix for it. So the return (s2c) packets will be routed back from the same ISP the connection (c2s) originally came through.

it should be merged into JHF that will be released in the next month or so for GAIA. 

As a temp workaround:

If you need the redundancy to the server works as active/backup, you can just set two default routes on your GAIA with different priorities, with "IP Reachability Detection" configured (if you want to probe the line. Otherwise just with "ping on"). So once main line is dead, the active route would be the second ISP, and then the server would be accesible through it. 

In case you need it to be accesible in parallel via multiple ISPs, i afraid only your PBR idea can work.

 

Let me know if you need further assistance,

 

(1)
Pedro_Espindola
Advisor
‎2024-07-02 06:18 AM
In response to AmirArama
Jump to solution

Hi Amir,

Thank you for the information. That's great news!

AmirArama
Employee
Employee
‎2024-07-02 06:48 AM
In response to Pedro_Espindola
Jump to solution

You are welcome 

0 Kudos
AmirArama
Employee
Employee
‎2024-08-21 02:55 AM
In response to Pedro_Espindola
Jump to solution

i would like to update that the mentioned feature is now available on GAIA GWs from R81.20 JHF 79 that was released.

in order to enable this feature after installing this JHF:

until we will make it enabled by default, it's needed to edit (or create) the file: $FWDIR/conf/sdwan/sdwan_steering_params.json 

and add this line to the file:

{ "sdw_default_symmetric_return_value" : true }

then restart the steering process:
sdwan_steering_stop;sdwan_steering_start

 

Thanks

Pedro_Espindola
Advisor
‎2024-08-29 10:33 AM
In response to AmirArama
Jump to solution

Hi Amir,

Thank you for the information!

I installed this JHF, but after that I'm unable to push the SD-WAN policy. It shows the following error:

“Failed to enforce new policy. Reason: Failed to lower support_fec flag(Return code: 10)”

Any ideas about what support_fec flag is?

I'm running a PoC of this feature, so I'm unable to open a ticket with TAC about this.

I'm aware that this take is ongoing and there might be issues.

AmirArama
Employee
Employee
‎2024-08-29 10:58 AM
In response to Pedro_Espindola
Jump to solution

it's related to the new fec feature that also comes with that JHF.

This issue is currently under investigation. either open TAC or DM me to get updates on this.

Thanks

0 Kudos
AmirArama
Employee
Employee
‎2024-09-03 09:13 AM
In response to Pedro_Espindola
Jump to solution

Just to update everyone reading this thread:

We found an issue with GAIA GWs working in Kernel Space firewall (KSFW) on JHF 79 running SD-WAN.

The issue would result in a SD-WAN policy enforce failure with the following message:

“Failed to enforce new policy. Reason: Failed to lower support_fec flag(Return code: 10)”

If you have any GAIA GW with SD-WAN Enabled which running as Kernel space firewall (usually open servers, or cloud GWs), please avoid upgrading to JHF 79 for now until further notice.

 

We already have the HOTFIX for that which should be released very soon (probably tomorrow) as a HF or as a new JHF, and once it’s there I will send an update with the details.


Feel free to ask me here or on DM if needed.

Thanks,

AmirArama
Employee
Employee
‎2024-09-05 07:19 AM
In response to AmirArama
Jump to solution

Hello,

The fix to the policy enforcement issue above ("Failed to lower support_fec flag") for Kernel Space Firewall mode, is now available in JHF 84 that was released today.

https://sc1.checkpoint.com/documents/Jumbo_HFA/R81.20/R81.20/Take_84.htm?tocpath=_____6

 

if for any reason, you need the fix as a small hotfix on top of JHF 79, please contact me directly.

 

Thanks

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events