Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Axel_Winterberg
Participant

PBR and Source NAT

Hi Guys,

we have a Cluster running on R81.20 with JHF T65.

We want to separate WebEX from other traffic.

So I used the Updatable Object for allowing the Traffic to "WebEX Services".

In NAT-Rules I created a Source NAT:

internal Net --> WebEX Services       NAT-IP 10.1.1.1 (hide)  ---> original

 

Rule and NAT is working fine, BUT ....

I have configured PBR to work for Source IP.

BPR-Rule:   If Source IP is 10.1.1.1   --->   Route Destination x.x.x.14

Default Route is x.x.x.254 (Loadbalancer)

So I expected, that the traffic, which has been source natted to 10.1.1.1 will use the

PBR Route for x.x.x.14 and NOT my default Route to the loadbalancer.

 

Unfortunately it still uses the default route!

Is the order for PBR.....   first look up for PBR and than make Source NAT ???

0 Kudos
7 Replies
Lesley
Leader Leader
Leader

And why not use the PBR route based on the real ip instead of NAT pool range?

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant

Because, that will match all traffic from the real IPs.
I do source NAT only for Destination WebEX Services.
So original Source with other Destination musst use default route.

Destination WebEX Services are Source natted and should use PBR Route

0 Kudos
Lesley
Leader Leader
Leader

https://support.checkpoint.com/results/sk/sk163320

 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant

Yes, i have seen it.

I will try another way to separate the traffic:

 Enabling Firewall rule matching in PBR (Application-Based Routing)

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

Currently, this feature is supported to direct Office365 traffic to Microsoft Cloud and is being tested with other updatable SaaS and cloud service objects.

This feature is currently hidden. To enable it, run these commands on the Security Gateway in the Expert mode and reboot:

HostName:0# dbset process:rtgpbrd:runlevel 4

HostName:0# dbset process:rtgpbrd:path /bin

HostName:0# dbset process:rtgpbrd t

HostName:0# dbset :save

HostName:0# reboot

0 Kudos
Axel_Winterberg
Participant

I will test this scenario, if I get a maintenance window from the customer.

0 Kudos
Lesley
Leader Leader
Leader

You mean then this SK correct? https://support.checkpoint.com/results/sk/sk167135

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Axel_Winterberg
Participant

Yes, have found sk167135.

Never tried this "hidden" feature. Will give it a try and will post my results.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events