Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Balakrishna_Med
Explorer
Jump to solution

No of PBR limitations

Hi,

We are facing the issue with No.of PBRs,

Scenario... We have Juniper Switch with Virtual routers... we have installed Checkpoint IPS between Juniper Firewall and Juniper Switch... and we are routing the traffic through Checkpoint using PBR.

Support person not recommending more PBR(No.of PBR are 15)

Is it really limitation from Checkpoint 80.10? any suggestions please...

Thanks

Bala

0 Kudos
1 Solution

Accepted Solutions
Sundeep_Mudgal
Employee
Employee

Gaia ultimately pushes these rules to kernel so same limitations should apply either way. Please open a RFE request if you need 2500 PBR rules to be supported in Gaia.

View solution in original post

0 Kudos
13 Replies
Danny
Champion Champion
Champion

There is no limit of PBR rules. Check Point officially declares in sk100500 that "You can define many Policy Rules."

Check Point does not note how many, but many for me means that only 15 PBR rules should be no issue at all.

0 Kudos
Licensing_User
Participant

Hello Danny,

We have a similar situation with one of our clients, the only issue is "many" in our case means we need 2500 PBR.

Check Point advised that "many" means 1024 only, so we have to go for a Linux PBR solution.

These routes will only stay for 3-6 months and will go to a single DG once the local network migration is complete.

My question is; will all limitations still apply if we implement PBR via Linux commands and 2500 individual rules?

do you foresee any challenges in doing this or any work around that can be helpful, Please?

Thanks

0 Kudos
Licensing_User
Participant

Hello All,

Can anyone please reply to the above question if they know about this, please?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

If you're trying to modify PBR with Linux commands (via expert mode) on the gateway, that is most definitely not supported.
If you're implementing the PBR on an external device, that's up to the external device.

What version/JHF are we talking about here?

 

0 Kudos
Licensing_User
Participant

Thanks for your reply.

we had a TAC case opened with ref:6-0003441780, and it was advised that the Linux commands could be used.

It was our SD who was involved with CP TAC, but I will confirm the current version asap.

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin

It depends on where the PBR limit is coming from (the Linux kernel or the Gaia configuration DB).
That might be a question for TAC, though I am also asking out of band.

0 Kudos
Licensing_User
Participant

Ok, Thanks for that. I did open a new TAC case, but no response yet. please let me know if you find out anything.

Thanks

0 Kudos
PhoneBoy
Admin
Admin

TAC will ultimately tell you the same thing that @Sundeep_Mudgal answered as his team in R&D is responsible for PBR functionality in Gaia.
Recommend raising this requirement with your local Check Point office.

0 Kudos
Licensing_User
Participant

Its R80.40 T180

 

0 Kudos
Sundeep_Mudgal
Employee
Employee

Gaia ultimately pushes these rules to kernel so same limitations should apply either way. Please open a RFE request if you need 2500 PBR rules to be supported in Gaia.

0 Kudos
Licensing_User
Participant

Thanks for the info @Sundeep_Mudgal 

0 Kudos
Licensing_User
Participant

@Sundeep_Mudgal , it seems the RFE is a general feature request and might not be implemented. can a custom hotfix be provided if we contact local CP or a request via TAC?

0 Kudos
PhoneBoy
Admin
Admin

While it wouldn't hurt to file an RFE, this request should be handled through your local Check Point office.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events