Hi all,
I have been given an answer by Check Point support, however wondered if anyone could explain to me what the changes are and the consequences of turning SecureXL off in the future.
So - we migrated a customer to R80.30 from a R77.30 firewall.
They have a list of PBR rules.
An issue came up where certain traffic was being received on the correct interface, but was leaving on the incorrect one. There is a PBR rule to point the traffic back to the correct interface. (The traffic wasn't being picked up by another PBR rule, it was just following OS routes)
Turning SecureXL off fixes the issue.
Check Point support pointed me to sk163320.
The customer does indeed translate his source IP, but his PBR rules was always set on the existing, original IP and not the NAT'd IP.
It appears now that PBR is calculated after NAT, therefore on the NAT address - firstly, is my understanding correct?
The customer is abit dismayed at the fact he now needs to adjust all his PBR rules to work with translated NAT source address. He also queries why this is the case in R80.20 and above, what changed? and also if he turns SecureXL off, will PBR's still be calculated on the NAT'd source address? or will he need to keep PBR rules for original and NAT'd addresses?