This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nenad_Odic
Contributor
‎2024-10-07 06:29 AM
Jump to solution

PBR help please

Dear friends i have never done PBR in Checkpoint so i need help suggestions for this concrete question.

I have read the SK's so i have some kind of understanding.

What baffles me is as you see in attach i have one internal network that should communicate with DC and it does.

Now we got second ISP ISP2 on the drawing,  i  want to send all internet traffic from that 1.1.1.1 LAN to that ISP2.

all other networks are going to internet to ISP1.

i have in static routes 0.0.0.0 next hop ISP1

and for the communication with DC i have x.x.x.x next hop some internal gw.

everything works .

Now i want to send\receive  internet traffic from 1.1.1.1 to ISP2 and not to disrupt communication with DC.

Hope i was clear and simple.

thanks in advance 🙂

Preview file
92 KB
0 Kudos
1 Solution

Accepted Solutions
Martijn
Advisor
Advisor
‎2024-10-09 01:46 AM
Jump to solution

Hi,

You need to create two PBR rules in your PBR configuration and in the order below.

1. Traffic from 1.1.1.1 to DC needs to use the routing table (Main Table via internal gateway)
2. Traffic from 1.1.1.1 to internet needs to use the ISP2 Table.

If traffic goes to the DC, the first rule is hit. All other traffic is going via IPS2.

Maybe more rules are needed to suit your routing requirements.

Good luck.

Martijn

View solution in original post

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2024-10-07 08:40 AM
Jump to solution

Create an Action Table specifying ISP2's default route.
Create a policy rule that references this table something like below.
Only the source(s) specified will be routed to ISP2.

image.png

0 Kudos
Nenad_Odic
Contributor
‎2024-10-08 01:31 AM
In response to PhoneBoy
Jump to solution

Thanks for help,

i have tried this kind of settings but than my communication from 1.1.1.1 to DC is broken .Internet works.

so do i have to have more than one rule or table regarding the dc communication?

Please help

thank you

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2024-10-08 03:06 AM
In response to Nenad_Odic
Jump to solution

I would suggest to contact CP TAC to get this resolved!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PeterL
Participant
‎2024-10-08 06:01 AM
In response to Nenad_Odic
Jump to solution

It's been a while, but for as far as I can remember, PBR takes absolute precedence over all other routes.  So if you create a Policy Based Route that sends all traffic from 1.1.1.1 to ISP2, you should add another PBR for the traffic from 1.1.1.1 towards DC as well.

Make sure to take the Hide-NAT for your internet traffic into account as well, as this will most probably differ between ISP1 and ISP2.

Just my two cents...

 

0 Kudos
Martijn
Advisor
Advisor
‎2024-10-09 01:46 AM
Jump to solution

Hi,

You need to create two PBR rules in your PBR configuration and in the order below.

1. Traffic from 1.1.1.1 to DC needs to use the routing table (Main Table via internal gateway)
2. Traffic from 1.1.1.1 to internet needs to use the ISP2 Table.

If traffic goes to the DC, the first rule is hit. All other traffic is going via IPS2.

Maybe more rules are needed to suit your routing requirements.

Good luck.

Martijn

0 Kudos
Nenad_Odic
Contributor
‎2024-10-11 06:49 AM
In response to Martijn
Jump to solution

Thanks to you all i have managed to setup this to work .

There were some shenanigan's with the NAT but now it is solved . 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events