Re: ABR (Application Based Routing): "PBR_" rules ...

Gorazd · ‎2022-09-02

Dear fellow engineers,

I try to implement hidden feature - ABR (Application Based Routing) - as per sk167135, but the "PBR_" rules that I configure on the management station, don't show up on firewalls in Gaia GUI, when I try to connect a PBR route with a Firewall Rule. "rtgpbrd" prosess is running, but file "/tmp/fwpbrrules.conf" doesn't exist, nor an entry in the database ("dbget -arv fwrules" doesn't show anything)

I followed SK step-by-step, unlocking the feature with dbset commands, rebooting the firewalls, configure PBR_ rules in the management and pushing the policy.

I have R81.10 both management and firewalls that run in ClusterXL cluster and the management is MDS. I tried to implement rules that start "PBR_" on the domain level and also in the global MDS policy.

One non-usual feature that I use and that caused me many sleepless nights is mdps, but I can't see any connection between mdps and ABR. Just to be sure, I entered dbset commands in both management and data environment.

Any ideas, what I can try next?

Chris_Atkinson · ‎2022-09-02

Unfortunately the table in section 5 of sk167135 suggests this combination (MDPS+ABR) isn't supported.

CCSM R77/R80/ELITE

Gorazd · ‎2022-09-13

I reconfigured the firewalls and removed MDPS. But there is still the same behavior, "/tmp/fwpbrrules.conf" doesn't exist.

I was thinking of another line from the table "Supported Functionality and Limitations" you mentioned. On the line 18, it is stated that "Rule Base hierarchy (inner layer structure)" is not supported. The question is, are MDS Global Rules and Domain rules considers as "inner layer structure"? To be sure, I configured a rule that start with "PBR_" in both, Global Access Rule policy and Domain Access Rule policy... still no file on the firewalls and no "PBR_" rule in drop-down list... :S

Any ideas?

PhoneBoy · ‎2022-09-13

I suspect this feature does not support the use of MDS Global Rules or Domain Rules.

doumhh-17 · ‎2022-10-04

Hi, did you get it working, I´m having a similiar issue:

PBR is working, ABR not

all the checks from sk167135 are looking good, except File /tmp/fwpbrules.conf is not being created.

PBR Action Table 1 Gateway is next Hop IP

PBR Action Table 2 Gateway is vpnt1

I want to create Policy Rule to merge "Firewall Rule PBR_Bypass" to use Table 1.

[Expert@hostname:0]# cat /tmp/fwpbrrules.conf

cat: /tmp/fwpbrrules.conf: No such file or directory

[Expert@hostname:0]# dbget -arv fwrules

fwrules:instance

fwrules:instance:default

fwrules:instance:default:rulenum

fwrules:instance:default:rulenum:9 t

fwrules:instance:default:rulenum:9:name PBR_Bypass

fwrules:instance:default:rulenum:9:uuid 20f7db3f-b822-49ce-8fb8-754fd227aa3b

[Expert@hostname:0]#

I don´t think that there are known Limitations relevant for my environment.

Im Smartviewtracker I see Drop Reasons like this:

- Failed to enforce VPN policy (11)

- Connection terminated before detection: Insufficient data passed.
To learn more see sk113479.

Golo_Koenigshof · ‎2023-09-08

Same with me, the "PBR_" Rules are not showing up in the Gaia Portal, the ABR "Firewall Rules" dropdown is empty.

cat /tmp/fwpbrrules.conf -> No such file or directory
dbget -arv fwrules -> No reult (empty)

Did any of you find a solution?

TRajkumar · ‎2023-12-16

Hi Everyone

Me too having the same problem in R81.10.I followed the SK167135,

cat /tmp/fwpbrrules.conf --- > shows No such file or directory

cat /tmp/pbr/fwpbrrules.conf.0 -- > gives the result. It show the firewall policy which i created.

dbget -arv fwrules --> Gives output

But on gaia PBR option "firewall rule" not available.

any one got solution for this issue?

Waiting for the reply:)

Thanks

Rajkumar

Are you a member of CheckMates?

ABR (Application Based Routing): "PBR_" rules don't show up on firewalls