Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JoSec
Collaborator

PBR for ISP Load Sharing and NAT

I have a requirement to send VOIP traffic to a specific ISP using the VOIP partners public IP ranges and failover to the second ISP when that circuit is down while all other traffic can utilize both of our ISPs. I have created a PBR and utilized Auto NAT with "Hide Behind Gateway" and applied this to the specific firewall cluster. I did testing by changing the priority of the ISP for a test client but even if I change it to go though a specific ISP, I see both Public IP addresses of the firewall being utilized randomly in the firewall logs for NAT. I looked at sk163320 -  Policy Based Routing (PBR)  - Policy Based Routing (PBR) is not performed when using Hide Nat. The article indicates to utilize the command via the CLI - CLISH> set pbr rule priority X match from <translated_IP_ADDR/masklength> which I assume will change the order of processing to resolve the issue with NAT being performed before PBR. I am utilizing 6600 appliances with R81.10 and separate physical interfaces for each ISP.

My questions are as follows, has anyone R80.20 and above, been able to load share two ISPs using PBR to work in the manner I am attempting? Have you been able to do the same with static routes instead of PBR? Does the command in the SK actually change the order of processing to resolve the issue of NAT being performed before the PBR is evaluated? To note, I m not using the ISP Redundancy feature configurable within SmartDashboard and only utilizing PBR due to the above requirements. Thanks

0 Kudos
1 Reply
the_rock
Legend
Legend

PBR is not supported with ISPR

See below under limitations

Andy

https://support.checkpoint.com/results/sk/sk167135

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events