This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
GG27
Contributor
‎2018-08-03 08:08 AM

PBR limitations

Hi Mates,

reading the sk100500 I was very surprised when it described

The following features/blades are not supported with PBR:

  • IPv6
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS

Despite my idea where, routing feature on the gateway musn't influence the security features, at the moment I need to have a PBR on a gateway where MTA is active for the TEX blade.

In the enviroment where I'd like to implement PBR and I have MTA enabled on a R80.10 gateway, the PBR doesn't work.

Does someone face the same scenario ?

Does someone know a workaround/solution?

17 Replies
PhoneBoy
Admin
Admin
‎2018-08-03 03:18 PM

Locally generated traffic accounts for most of the limitations, including MTA.

It would be useful to hear about your specific use case in a little more detail.

0 Kudos
GG27
Contributor
‎2018-08-06 01:11 AM
In response to PhoneBoy

the idea shoud be implement a PBR to move internet browsing from a proxy server inside the network throught out a new provider.

I implemented the PBR as I made in the past for other costumers, but it the first time the PBR doesn't work.

I mean running "IP RULE" command in expert mode on the gateway, I see the matches at my PBR.

Dumping the traffic, instead, the packets are forwarded by the route in the main route tables

0 Kudos
PhoneBoy
Admin
Admin
‎2018-08-13 07:07 PM
In response to GG27

Routing configuration changes needs to be done via clish and not using the ip command via expert mode.

Are you using the security gateway as the explicit proxy in this case?

0 Kudos
GG27
Contributor
‎2018-09-03 12:12 AM
In response to PhoneBoy

the "ip rule" command is described in the SK for debugging PBR on Secure Gateway.

obviously I implemented PBR from clish.

In reply at your question "Are you using the security gateway as the explicit proxy in this case?", the response is NO, I have an external proxy gateway.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-03 09:50 AM
In response to GG27

So how is the traffic flowing from your clients to the Internet?

Since proxies are involved, need to understand where the TCP connections are terminating.

And are you using the Transparent proxy option?

0 Kudos
GG27
Contributor
‎2018-09-03 10:32 PM
In response to PhoneBoy

the browser on client is configured to use explicit proxy and the communication starts from client and terminate at the proxy end.

The proxy, then, initiates the connection to the web site

in other words, running tcpdump on gateway I see as source IP, the IP of proxy server

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-04 07:24 AM
In response to GG27

So do the packets from your internal proxy server terminate on another proxy server or just go to the Internet sites directly?

Also, my question about proxy mode, which you didn't answer.

The setting is here:

0 Kudos
GG27
Contributor
‎2018-09-06 08:51 AM
In response to PhoneBoy

Hi Dameon

The internal proxy goes out to the internet directly. No more proxy are in the middle between internal proxy and internet.

In reply CKP proxy configuration, the gateways are not configured as a proxy and the box on the property is not tricked.

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-06 03:30 PM

I recommend opening a TAC case to troubleshoot this as, to the best of my knowledge, this should work. 

0 Kudos
D_W
Advisor
‎2019-10-09 12:42 AM
In response to PhoneBoy

Hi,

I also have a questions to the Limitations stated in SK100500.

We use URLFilter and IPS so the limitation is that those two features are not working for traffic that is handled by the PBR OR are  those features without function for every traffic?

KR

David

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2019-10-09 06:06 AM
In response to D_W

According to sk100500, IPS  and URLF are not working with PBR.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
D_W
Advisor
‎2019-10-09 06:09 AM
In response to G_W_Albrecht

Yes this SK100500 is telling us that but my question is if the whole IPS and URLF is not working/supported or only not supported/working for the PBR traffic?!

0 Kudos
FedericoMeiners
Advisor
‎2019-10-09 06:50 AM
In response to D_W

I think that the limitations are pointing that you cannot make routing decisions based on those blades.

If not I would be really confused, I have many customers with PBRs and IPS and both blades are working like a charm.

Would be nice that someone from Check Point clarifies it, it's true that the sk is not clear enough.

____________
https://www.linkedin.com/in/federicomeiners/
Gro_Tea
Contributor
‎2020-05-18 11:38 PM
In response to FedericoMeiners

Hi,

the post is long ago, but at the moment I'm facing some problems regarding pbr. I just wanted to ask you if you got any response from officials regarding the mentioned incompatibility with PBR and some core features?

Thanks in advance,

Frank

0 Kudos
Peter_Lyndley
Advisor
Advisor
‎2020-02-20 04:33 AM
In response to D_W

It would be great if someone from Check Point could clarify this.

We have two open TAC cases for different customers and we cannot move forward as TAC are saying the blades you have enabled will not work with PBR.

It would be really helpful if someone could answer why, rather than just pointing us to this ambiguous SK

thanks

Peter

0 Kudos
Enrique
Participant
‎2020-02-12 08:59 AM

Hello,

Does anyone know if it is possible to configure Mobile Access with PBR?

I have two ISP in two different firewall's interfaces and we would like to publish only the Mobile Access portal with the ISP which is NOT the default gateway. 

I've performed some traffic captures and fw monitor, and I clearly see that traffic is reaching through ISP2 but the returning traffic is being routed through ISP2.

 

Thank you to everyone in advance, I really really like this community.

0 Kudos
Nicolas_Vanhoek
Participant
Participant
‎2020-03-06 07:35 AM
In response to Enrique

see sk76281  -
did you select Reply from the same interface ?

When Responding to a Remotely Initiated Tunnel

When responding to a remotely initiated tunnel, there are two options for selecting the interface and next hop that are used. These settings are only relevant for IKE and RDP sessions.

These settings are configured in Link Selection > Outgoing Route Selection > Setup > Link Selection - Responding Traffic window.

  • Use outgoing traffic configuration - Select this option to choose an interface using the same method selected in the Outgoing Route Selection section of the Link Selection page.
  • Reply from the same interface - This option sends the returning traffic through the same interface and next hop it that it arrived in.
 

 

Note - When Route Based Probing is enabled, Reply from the same interface is the selected method and cannot be changed.

 

Kind regards

Niky

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events