This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Balakrishna_Med
Explorer
‎2019-05-18 10:11 AM
Jump to solution

No of PBR limitations

Hi,

We are facing the issue with No.of PBRs,

Scenario... We have Juniper Switch with Virtual routers... we have installed Checkpoint IPS between Juniper Firewall and Juniper Switch... and we are routing the traffic through Checkpoint using PBR.

Support person not recommending more PBR(No.of PBR are 15)

Is it really limitation from Checkpoint 80.10? any suggestions please...

Thanks

Bala

0 Kudos
1 Solution

Accepted Solutions
Sundeep_Mudgal
Employee
Employee
‎2023-01-23 11:46 AM
In response to Licensing_User
Jump to solution

Gaia ultimately pushes these rules to kernel so same limitations should apply either way. Please open a RFE request if you need 2500 PBR rules to be supported in Gaia.

View solution in original post

0 Kudos
13 Replies
Danny
Champion Champion
Champion
‎2019-05-18 01:42 PM
Jump to solution

There is no limit of PBR rules. Check Point officially declares in sk100500 that "You can define many Policy Rules."

Check Point does not note how many, but many for me means that only 15 PBR rules should be no issue at all.

0 Kudos
Licensing_User
Participant
‎2023-01-19 04:59 AM
In response to Danny
Jump to solution

Hello Danny,

We have a similar situation with one of our clients, the only issue is "many" in our case means we need 2500 PBR.

Check Point advised that "many" means 1024 only, so we have to go for a Linux PBR solution.

These routes will only stay for 3-6 months and will go to a single DG once the local network migration is complete.

My question is; will all limitations still apply if we implement PBR via Linux commands and 2500 individual rules?

do you foresee any challenges in doing this or any work around that can be helpful, Please?

Thanks

0 Kudos
Licensing_User
Participant
‎2023-01-20 07:33 AM
In response to Licensing_User
Jump to solution

Hello All,

Can anyone please reply to the above question if they know about this, please?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-20 11:58 AM
In response to Licensing_User
Jump to solution

If you're trying to modify PBR with Linux commands (via expert mode) on the gateway, that is most definitely not supported.
If you're implementing the PBR on an external device, that's up to the external device.

What version/JHF are we talking about here?

 

0 Kudos
Licensing_User
Participant
‎2023-01-23 02:15 AM
In response to PhoneBoy
Jump to solution

Thanks for your reply.

we had a TAC case opened with ref:6-0003441780, and it was advised that the Linux commands could be used.

It was our SD who was involved with CP TAC, but I will confirm the current version asap.

Thanks

 

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-23 08:34 AM
In response to Licensing_User
Jump to solution

It depends on where the PBR limit is coming from (the Linux kernel or the Gaia configuration DB).
That might be a question for TAC, though I am also asking out of band.

0 Kudos
Licensing_User
Participant
‎2023-01-24 03:20 PM
In response to PhoneBoy
Jump to solution

Ok, Thanks for that. I did open a new TAC case, but no response yet. please let me know if you find out anything.

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-24 05:02 PM
In response to Licensing_User
Jump to solution

TAC will ultimately tell you the same thing that @Sundeep_Mudgal answered as his team in R&D is responsible for PBR functionality in Gaia.
Recommend raising this requirement with your local Check Point office.

0 Kudos
Licensing_User
Participant
‎2023-01-23 03:07 AM
In response to PhoneBoy
Jump to solution

Its R80.40 T180

 

0 Kudos
Sundeep_Mudgal
Employee
Employee
‎2023-01-23 11:46 AM
In response to Licensing_User
Jump to solution

Gaia ultimately pushes these rules to kernel so same limitations should apply either way. Please open a RFE request if you need 2500 PBR rules to be supported in Gaia.

0 Kudos
Licensing_User
Participant
‎2023-01-25 01:06 AM
In response to Sundeep_Mudgal
Jump to solution

Thanks for the info @Sundeep_Mudgal 

0 Kudos
Licensing_User
Participant
‎2023-01-25 01:23 AM
In response to Sundeep_Mudgal
Jump to solution

@Sundeep_Mudgal , it seems the RFE is a general feature request and might not be implemented. can a custom hotfix be provided if we contact local CP or a request via TAC?

0 Kudos
PhoneBoy
Admin
Admin
‎2023-01-25 10:49 AM
In response to Licensing_User
Jump to solution

While it wouldn't hurt to file an RFE, this request should be handled through your local Check Point office.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events