This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Axel_Winterberg
Participant
Thursday

PBR and Source NAT

Hi Guys,

we have a Cluster running on R81.20 with JHF T65.

We want to separate WebEX from other traffic.

So I used the Updatable Object for allowing the Traffic to "WebEX Services".

In NAT-Rules I created a Source NAT:

internal Net --> WebEX Services       NAT-IP 10.1.1.1 (hide)  ---> original

 

Rule and NAT is working fine, BUT ....

I have configured PBR to work for Source IP.

BPR-Rule:   If Source IP is 10.1.1.1   --->   Route Destination x.x.x.14

Default Route is x.x.x.254 (Loadbalancer)

So I expected, that the traffic, which has been source natted to 10.1.1.1 will use the

PBR Route for x.x.x.14 and NOT my default Route to the loadbalancer.

 

Unfortunately it still uses the default route!

Is the order for PBR.....   first look up for PBR and than make Source NAT ???

0 Kudos
7 Replies
Lesley
Advisor
Thursday

And why not use the PBR route based on the real ip instead of NAT pool range?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant
Thursday
In response to Lesley

Because, that will match all traffic from the real IPs.
I do source NAT only for Destination WebEX Services.
So original Source with other Destination musst use default route.

Destination WebEX Services are Source natted and should use PBR Route

0 Kudos
Lesley
Advisor
Thursday
In response to Axel_Winterberg

https://support.checkpoint.com/results/sk/sk163320

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant
Thursday
In response to Lesley

Yes, i have seen it.

I will try another way to separate the traffic:

 Enabling Firewall rule matching in PBR (Application-Based Routing)

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

Currently, this feature is supported to direct Office365 traffic to Microsoft Cloud and is being tested with other updatable SaaS and cloud service objects.

This feature is currently hidden. To enable it, run these commands on the Security Gateway in the Expert mode and reboot:

HostName:0# dbset process:rtgpbrd:runlevel 4

HostName:0# dbset process:rtgpbrd:path /bin

HostName:0# dbset process:rtgpbrd t

HostName:0# dbset :save

HostName:0# reboot

0 Kudos
Axel_Winterberg
Participant
Thursday
In response to Axel_Winterberg

I will test this scenario, if I get a maintenance window from the customer.

0 Kudos
Lesley
Advisor
Thursday
In response to Axel_Winterberg

You mean then this SK correct? https://support.checkpoint.com/results/sk/sk167135

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant
Thursday
In response to Lesley

Yes, have found sk167135.

Never tried this "hidden" feature. Will give it a try and will post my results.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events