This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IGSSV
Contributor
‎2024-09-17 03:27 AM
Jump to solution

PBR Not Working

Hello,
I'm having trouble getting the PBR configuration to work and could use some help.

Network Configuration

The firewall is connected as follows:

2024-09-17_19h21_39.pngeth1: Internet
eth2: Local Network (access to 10.100.0.0/16 via 10.100.1.1/24)
Mgmt: Management Network (10.100.254.0/24)

What I Want to Achieve
I want to synchronize time with the NTP server located at 10.100.253.1 through the Management network. However, due to the current routing, access to the NTP server goes through eth2. I want to correct this using PBR.

Current Configuration

Static Route

 

 

default via [eth1 nexthop]
10.100.0.0/16 via 10.100.1.1

 

 

PBR Table

 

 

set pbr table MgmtPbrTable static-route 10.100.253.1/32 nexthop gateway address 10.100.254.254 priority 1

 

 

# I have tried the following three patterns, but none of them worked:

Default route via 10.100.254.254
To 10.100.253.0/24 via 10.100.254.254
To 10.100.253.1/32 via 10.100.254.254

PBR Rule

 

 

set pbr rule priority 1 match from 10.100.254.1/32
set pbr rule priority 1 match to 10.100.253.1/32
set pbr rule priority 1 action table MgmtPbrTable

 

 

Additional Information
When I added the static route 10.100.253.1/32 via 10.100.254.254, access worked correctly. However, this is not a viable solution because I want access from the Internet to the NTP server to go through eth2 as usual.

0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee
‎2024-09-17 04:30 AM
Jump to solution

Note Locally-generated traffic is considered a limitation of PBR per sk167135

Perhaps a normal static route for the /32 can work for you (may also require an anti-spoofing exception).

CCSM R77/R80/ELITE

View solution in original post

3 Replies
rrbranco
Collaborator
Collaborator
‎2024-09-17 03:39 AM
Jump to solution

If you're using NAT, check if the PBR policy is considering the IP before or after a NAT.

Test, if possible, changing the PBR to consider (or not) the NAT .

Best regards,

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2024-09-17 04:30 AM
Jump to solution

Note Locally-generated traffic is considered a limitation of PBR per sk167135

Perhaps a normal static route for the /32 can work for you (may also require an anti-spoofing exception).

CCSM R77/R80/ELITE
IGSSV
Contributor
‎2024-09-17 09:05 PM
In response to Chris_Atkinson
Jump to solution

Thank you for your prompt response and for clarifying the PBR limitation for locally-generated traffic as outlined in sk167135.

I’ll look into using a normal static route for the /32, and consider the anti-spoofing exception if needed.

I appreciate your help!

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top