This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Rui_Meleiro
Contributor
‎2017-07-26 10:08 AM
Jump to solution

Directing specific ports traffic to second ISP interface

On a 5100 R80.10, need to direct all outbound traffic on port TCP/80 to a second ISP interface.

Already checked:

- ISP redundancy (no port control, even on load-balancing)

- Policy Based Routing (cannot define the general destination 0.0.0.0/0.0.0.0 on any rule)

Did any one found any solution or workaround to this?

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2017-07-26 05:37 PM
In response to Rui_Meleiro
Jump to solution

Subnetting the Internet was just me being creative. Smiley Happy

I did ask R&D and the official answer is to create a rule that specifies both the inbound interface and TCP port 80.

Just specifying the TCP port isn't sufficient.

When you do that, you can use a default route as the destination.

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2017-07-26 04:36 PM
Jump to solution

Instead of trying to do a 0.0.0.0, you might try breaking the Policy-Based Routes into a series of smaller routes, such as:

  • 0.0.0.0/1
  • 128.0.0.0/2
  • 192.0.0.0/3

That should cover anything routable via IPv4 on the Internet (and some stuff that isn't).

0 Kudos
Rui_Meleiro
Contributor
‎2017-07-26 05:07 PM
In response to PhoneBoy
Jump to solution

So, subnetting the Internet is the answer.

Please don't get me wrong, I appreciate your suggestion as a great workaround - wish I had thought of it before.

But, having used Checkpoint in the late 90's and now again since June 2017, I'm continuously amazed by these "limitations" that keep appearing that have been already addressed by other manufacturers I have worked with in the past (Cisco, Fortinet...). Why Checkopint won't use something that was devised specifically for these situations ("quad-zero route" or "gateway of last resort") continuously amazes me.

Thanks again Dameon.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-26 05:37 PM
In response to Rui_Meleiro
Jump to solution

Subnetting the Internet was just me being creative. Smiley Happy

I did ask R&D and the official answer is to create a rule that specifies both the inbound interface and TCP port 80.

Just specifying the TCP port isn't sufficient.

When you do that, you can use a default route as the destination.

0 Kudos
Rui_Meleiro
Contributor
‎2017-07-26 06:03 PM
In response to PhoneBoy
Jump to solution

Creative indeed. I had in fact tried several combinations on PBR including specifying the inbound interface and port, and PBR works pretty well on specific subnets. My question was on the quad-zero route and how to specify it as the interface disallows it. 

Time to get a good  IP calculator and work my way around 10.0.0.0/8, 192.168.0.0/16...

0 Kudos
PhoneBoy
Admin
Admin
‎2017-07-26 10:02 PM
In response to Rui_Meleiro
Jump to solution

I think I was able to do it without subneting.

As a test, I routed port 8080 out a different interface.

I confirmed a TCP connection to port 8080 to some random Internet host was indeed routing out the specified interface.

It looks like this in the Gaia WebUI:

The "test" route was created like this:

(Note, I clicked the "default" here, but the IP here is most definitely not my default route)

The policy rule looks like this:

Hope that helps.

Rui_Meleiro
Contributor
‎2017-07-27 10:36 AM
In response to PhoneBoy
Jump to solution

Now, that's an elegant solution. Somehow I understood "default route" as "default gateway" and not by face value. I can confirm it does work, although the requests are being NAT'ed, which I think they shouldn't. But the main issue of service routing is accomplished, thank you.

And, of course, my previous rant on Checkpoint is meaningless now

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events