This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
hdas
Participant
‎2021-06-14 02:05 AM

ClusterXL - PBR for Internet connection, IPSec VPN, Client VPN, and NAT(R80.40)

Hello,

I'm planning to configure the ClusterXL with 4 internet connections and PBR, I would like to know if it will work also for the VPN IPSec, VPN Client, and NAT.

 

CP_PBR.jpg

  1. VPN IPsec on the first internet connection
  2. VPN Client on the second internet connection and some Static NAT
  3. NAT on the third connection
  4. No PBR on the fourth internet connection (default route)

 

Regards

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-06-16 03:05 PM

The appropriate Link Selection setting would be needed for the VPN to work properly.
Not sure what you mean by "NAT on the third connection" can you clarify?

0 Kudos
hdas
Participant
‎2021-06-17 04:23 AM
In response to PhoneBoy

Hi PhoneBoy,

 

thanks for your reply.

Let me describe better what I want to achieve:

  • VLAN1 should be reachable only from the VPN IPsec & Client VPN and should be able to surf the internet + PBR Next-Hop 1st internet connection.
  • VLAN2 should be able to surf the internet and Static NAT (map some internal IP to external IP) + PBR Next-Hop 2nd internet connection.
  • VLAN3 should be able to surf the internet + PBR Next-Hop 3rd internet connection.
  • VLAN4 should be able to surf the internet = No PBR default route (routing table)
  • VLAN2, VLAN3, VLAN4 should be able to communicate.

The ClusterXL is the default gateway for all 4 VLANs. 

Now, how can I implement all this?

Is there any drawback or limitation for the VPN traffic?

CP_PBR.jpg

Thank you,

 

0 Kudos
Vladimir
Champion
Champion
‎2021-06-17 04:58 AM
In response to hdas

Hmm.. rather odd setup imho... but if you look at the Link Selection/reply from the same interface, that should cover inbound traffic. That said, I believe the PBR has some limitations that may be material to you. Not sure what version you are on, but those listed in SK100500 were still applicable to R80.40.

PhoneBoy
Admin
Admin
‎2021-06-17 11:28 AM
In response to hdas

Properly setting the Link Selection and VPN community is required to ensure only the relevant VLANs are accessible and the VPN will transit the correct link.
You'll need appropriate PBR Routes for all of this for VLAN1-3.
Since you're talking about Default Route, make sure you're at least on R80.30.
VLAN2-4 should be able to talk assuming routes and Access Policy is defined appropriately.

You've not mentioned what should happen if one of these Internet connections fails.
The VPN would be most impacted by this, but I believe the other parts of this should work.

(1)
hdas
Participant
‎2021-06-18 01:30 AM
In response to PhoneBoy

Hi PhoneBoy,

very good point "You've not mentioned what should happen if one of these Internet connections fails."  - Just to make things easier, I'll implement some FHRP (VRRP or HSRP) as the next-hop for the PBR.

"Since you're talking about Default Route, make sure you're at least on R80.30." - I'm on R80.40 now 😊

Could you kindly share a configuration template for the PBR? 😁

Thank you

 

 

PhoneBoy
Admin
Admin
‎2021-06-20 06:14 PM
In response to hdas

Sorry, I don't have a configuration template.
I would refer you to the following SKs for information:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events