This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nbto
Participant
‎2019-11-05 07:13 AM
Jump to solution

Host access to Internet by using separate link than all traffic

Hello,

I have small question, im not sure but how I can configure one specific host to access Internet by using different link than all traffic - it's a separate link (like all traffic goes by ISP1 and this host will go through ISP2). I would like to try configure PBR: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

Maybe, I should use some static routes ?

Im using R80.10.

Thx!

0 Kudos
1 Solution

Accepted Solutions
mdjmcnally
Advisor
‎2019-11-05 07:23 AM
Jump to solution

PBR would be the way so that the host would use that link.

Please ensure that check the Limitations listed on that SK article.

Basically once use more then the Firewall Blade then PBR is not supported.

If need to use the Blades that not supported with PBR then could

 

1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2.  Any other host needing to use ISP-2 would use that Proxy Server as well.  Static Route to Internal Network and then DG the ISP-2 Router

2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2.   Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2

3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.

 

All have certain limitations however with the information provided then the best that can answer.

View solution in original post

0 Kudos
5 Replies
mdjmcnally
Advisor
‎2019-11-05 07:23 AM
Jump to solution

PBR would be the way so that the host would use that link.

Please ensure that check the Limitations listed on that SK article.

Basically once use more then the Firewall Blade then PBR is not supported.

If need to use the Blades that not supported with PBR then could

 

1.) Use a Proxy Server and configure so that is on a Network that leads off via ISP-2.  Any other host needing to use ISP-2 would use that Proxy Server as well.  Static Route to Internal Network and then DG the ISP-2 Router

2.) Use VSX and use a seperate VS that connects to ISP-2 for the Traffic from the Host, ie VSX would have a Static Route for the Internal Network and Default Gateway via ISP-2.   Any Hosts that need to use ISP-2 would have to connect via that seperate VS to be routed out via ISP-2

3.) If have known targets then can simply static route those destinations via ISP-2, useful for VPN targets, Backup Solutions, MessageLabs mail where have known hub IP to use.

 

All have certain limitations however with the information provided then the best that can answer.

0 Kudos
Nbto
Participant
‎2019-11-06 12:03 AM
In response to mdjmcnally
Jump to solution

Thank you very much for your reply !

Im just planning access to internet via LTE Router form this only one host. Rest via classical ISP. 

I just wanna make CHP FW to redirect traffic from this host to this router. 

So, you this configuring just static route should work ?

 

0 Kudos
mdjmcnally
Advisor
‎2019-11-06 12:07 AM
In response to Nbto
Jump to solution

Simply adding a Static Route you would need to know the Destinations that going too.  If is for generic Web Browsing then that won't work.

Hence why suggested that option last of the 3.

 

Policy Based Routing would be needed to do a route based on the Source IP ie the 1 Host however Policy Based Routing is supported only when have the Firewall Blade enabled.    Once start turning other Blades on then PBR no longer supported.

0 Kudos
Nbto
Participant
‎2019-11-06 12:56 AM
In response to mdjmcnally
Jump to solution

Okay, also Im wondering about solution number one - with proxy server. U mean HTTP/HTTPS Proxy on CHP GW ?
Im not sure did I understand it correctly, I should:
- Configure on CHP FW HTTP/HTTPS Proxy and redirect traffic to interface which is connected to LTE Router ?
- Add static route to Internal network and default gateway as LTE Router.

But as i understand then whole traffic will goes by LTE Router (ISP 2).
I just want to do it like host with IP 192.168.1.20 will access Internet through LTE Router and whole rest will through ISP.

Thanks!
0 Kudos
mdjmcnally
Advisor
‎2019-11-06 01:52 AM
In response to Nbto
Jump to solution

No you would deploy a Proxy Server on a Network BETWEEN the Check Point and the LTE Router.

Something like Squid.

Squid box would have 1 Interface and Default Gateway to the LTE Router and have Static Route pointing back to your Internal Network via the Check Point, presuming you don't NAT the Internal Network behind the Check Point.

Hosts wanting to use the LTE Connection would point there Browser at the Squid.  Squid would connect via the LTE Router as that is it's default gateway

No need to use the Proxy Feature on the Check Point at all.

Is NOT ideal but it does work and keeps everything simple until Check Point provide support for using Policy Based Routing with more then just the Firewall Blade enabled.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events