This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Abhishek_Kumar1
Collaborator
‎2019-12-18 03:21 AM

ISP redundancy and specific traffic should pass through perticular ISP and PBR configuration

Hi All -
We are under progress to deploy a new solution,
Where we have two ISP and we are configuring ISP Redundancy so that certain (http &https) traffic uses specific ISP Link with sk32225
We will configure four interface configure on my firewall two external interface, one inside network and one DMZ network.
when my user will access any http and https traffic from internet they will pass throgh ISP1 and rest of the traffic will pass through with ISP-2 which is mention is Sk32225
we have some of Application in DMZ which are running on HTTPS and HTTP also.
i just want to confirm, if we will apply PBR for internal user to access DMZ subent with Https & Http services, they will reach DMZ subnet. will it work or not
I am attaching a diagram for your reference.Diagram for ISP-Load balancer.png

10 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-12-18 03:35 AM

Abhishek,

your diagramm isn't readable, it's to small.

Can please more explain your need. Why do you need PBR to reching the DMZ network from internal ?

Normally the DMZ is reachable from internal via normal routing, ISP redundancy hould not have an affect on this.

Wolfgang

Abhishek_Kumar1
Collaborator
‎2019-12-18 04:16 AM
In response to Wolfgang


Thanks for your update, I am again attaching my proposed diagram.

I am explaining my requirement again, we have zsclaler cloud proxy in my environment. 1st External interface connected to CISCO ASR router and we created GRE tunnel between CISCO ASR and zscaler, and 2nd interface connected to 2nd ISP, we applied PAC file for all users, users traffic pass through GRE tunnel.
and we have multiple server in Internal network and DMZ subnet, Server don’t have PAC file. If anyone login to any server and accessing internet they will pass through ISP-2 (without any security policy), and we want to pass specific traffic Https &http through ISP-1, which we can achieve with sk32225.

but my next requirement is we have one DMZ subnet, from internal to DMZ and DMZ to internal communication will require with port http & https.

which we can achieve through PBR, but my question is if we change the table.def file and allow specific traffic from ISP-1, in that case if my internal user will try to access DMZ server, will it take table.def configuration or it will work on PBR and traffic we will reach DMZ and vice versa?
Timothy_Hall
MVP Gold
MVP Gold
‎2019-12-18 07:11 AM

Using ISP Redundancy and the PBR feature together is not supported, see sk100500: Policy-Based Routing (PBR) on Gaia OS.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-12-18 07:32 AM
In response to Timothy_Hall

As far as I can remember, with R80.30 it is supported.

Wolfgang
0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2019-12-18 08:03 AM
In response to Wolfgang

Can't seem to find any reference to support for ISP Redundancy w/ PBR being added in R80.30 vanilla or via Jumbo HFA and there seem to be two separate SK's saying it is not supported.

 

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-12-18 08:06 AM
In response to Timothy_Hall

thanks for your update, but if we are applying PBR for my requirement, we need to create more than 200 PBR, which is difficult to manage. thats why i planing to edit Table.def file for sending perticular traffic from ISP-1 one and rest of the traffic we will send through ISP-2.

if we have any solution as per my requirement please suggest me.

 

Regards

Abhishek

0 Kudos
mdjmcnally
Advisor
‎2019-12-18 09:09 AM
In response to Abhishek_Kumar1

I don't see why you need PBR for getting from Internal to DMZ or DMZ to Internal.

 

In order to send traffic over specific ISP-1 link then you would be adding 80 and 443 as HTTP and HTTPS to the no_misp_services_ports.

This will only affect traffic going out over the ISP Redundancy Links.     

 

So this will NOT affect traffic from the DMZ to Internal or the Internal to the DMZ as they aren't involving the ISP Redundancy Interfaces.

As such I don't see what you need PBR for here.

Wolfgang
MVP Gold
MVP Gold
‎2019-12-18 08:08 AM
In response to Timothy_Hall

I found from "From what's new R80.30"

Advanced Routing

  • Multihop Ping and Multiple ISPs in Policy-Based Routing
  • Multihop Ping in Static Routes
  • BFD in Static Routes
  • VSX VSID in Netflow

 

Question is, does the first line meaning ISP redundancy => "Multiple ISPs" ?

FedericoMeiners
Advisor
‎2019-12-18 12:43 PM
In response to Wolfgang

As far as I tested Multi Hop PBR is a great tool but it kinds of "replace" the active/passive ISP redundancy mode, not the active/active mode.

I don't think that you can use ISP Redundancy & PBR together in 80.30 with beautiful results since the last routing decision that matters is the one from ISP Redundancy, at least until R80.10.

In new deployments I like to use multi hop instead of ISP Redundancy in case of active / passive since you can add many ISPs

Regards,

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Abhishek_Kumar1
Collaborator
‎2019-12-18 08:08 AM
In response to Wolfgang

oho gr8 news do you have any document or any usecase for that?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events