- Products
- Learn
- Local User Groups
- Partners
- More
CheckMates Fifth Birthday
Celebrate with Us!
days
hours
minutes
seconds
Join the CHECKMATES Everywhere Competition
Submit your picture to win!
Check Point Proactive support
Free trial available for 90 Days!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
The 2022 MITRE Engenuity ATT&CK®
Evaluations Results Are In!
Now Available: SmartAwareness Security Training
Training Built to Educate and Engage
MITRE ATT&CK
Inside Check Point products!
CheckFlix!
All Videos In One Space
Hello,
I have small question, im not sure but how I can configure one specific host to access Internet by using different link than all traffic - it's a separate link (like all traffic goes by ISP1 and this host will go through ISP2). I would like to try configure PBR: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
Maybe, I should use some static routes ?
Im using R80.10.
Thx!
PBR would be the way so that the host would use that link.
Please ensure that check the Limitations listed on that SK article.
Basically once use more then the Firewall Blade then PBR is not supported.
If need to use the Blades that not supported with PBR then could
1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2. Any other host needing to use ISP-2 would use that Proxy Server as well. Static Route to Internal Network and then DG the ISP-2 Router
2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2. Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2
3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.
All have certain limitations however with the information provided then the best that can answer.
PBR would be the way so that the host would use that link.
Please ensure that check the Limitations listed on that SK article.
Basically once use more then the Firewall Blade then PBR is not supported.
If need to use the Blades that not supported with PBR then could
1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2. Any other host needing to use ISP-2 would use that Proxy Server as well. Static Route to Internal Network and then DG the ISP-2 Router
2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2. Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2
3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.
All have certain limitations however with the information provided then the best that can answer.
Thank you very much for your reply !
Im just planning access to internet via LTE Router form this only one host. Rest via classical ISP.
I just wanna make CHP FW to redirect traffic from this host to this router.
So, you this configuring just static route should work ?
Simply adding a Static Route you would need to know the Destinations that going too. If is for generic Web Browsing then that won't work.
Hence why suggested that option last of the 3.
Policy Based Routing would be needed to do a route based on the Source IP ie the 1 Host however Policy Based Routing is supported only when have the Firewall Blade enabled. Once start turning other Blades on then PBR no longer supported.
No you would deploy a Proxy Server on a Network BETWEEN the Check Point and the LTE Router.
Something like Squid.
Squid box would have 1 Interface and Default Gateway to the LTE Router and have Static Route pointing back to your Internal Network via the Check Point, presuming you don't NAT the Internal Network behind the Check Point.
Hosts wanting to use the LTE Connection would point there Browser at the Squid. Squid would connect via the LTE Router as that is it's default gateway
No need to use the Proxy Feature on the Check Point at all.
Is NOT ideal but it does work and keeps everything simple until Check Point provide support for using Policy Based Routing with more then just the Firewall Blade enabled.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY