Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Garrett_DirSec
Advisor
Jump to solution

PBR road-map and URLF/Identity requirements (policy-based routing)

Hello--  larger existing CP customer testing Policy-based Routing (aka "PBR") and disappointed on current incantation.

Based on sk100500, it appears that PBR operates at layer4 and currently can't make any decisions based on upper layers -- nor can higher level blades features be applied to traffic AFTER a PBR decision.

Customer would like to do the following.   Both not possible today.

  1. make PBR decision based on identity
  2. apply URLF policy to traffic following PBR decision.

Any road-map, work-arounds, or insight would be appreciated.    Thanks -GA

reference Policy-based Routing -- SK100500

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

excerpts:

Routing and Firewall Processing

It is important to note that routing tables, including PBR tables, are checked after firewall processing is complete.
This means that in situations such as NAT, routing rules are checked against the original source address (refer to sk101562).

The following features/blades are not supported with PBR:

<basically... everything>

0 Kudos
1 Solution

Accepted Solutions
rdevarak
Employee
Employee

Hello @Wolfgang - thanks for pointing out the right sk (sk167135). 

@Garrett_DirSec : PBR/ABR does support identity rules. Please contact me directly for further help.

-Raghu

View solution in original post

0 Kudos
7 Replies
Wolfgang
Authority
Authority

@Garrett_DirSec do you know Policy-Based Routing and Application-Based Routing in Gaia.

New features allowing PBR based on applications.

0 Kudos
Garrett_DirSec
Advisor

Hello @Wolfgang -- thanks for your msg and post.  I was not aware of this SK.   I will post feedback on Sk100500 to reference the newer sk167135.

While the addition of application to decision logic, this doesn't address customer requirements to operate based on identity and apply URLF to traffic post-decision.

Sincere thanks for the insight.   I hope it comes in handy in future.   -GA

0 Kudos
rdevarak
Employee
Employee

Hello @Wolfgang - thanks for pointing out the right sk (sk167135). 

@Garrett_DirSec : PBR/ABR does support identity rules. Please contact me directly for further help.

-Raghu

0 Kudos
Wolfgang
Authority
Authority

In addition to @rdevarak  snip from sk167135 for support of identities:

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

But as you mentioned, applying rules after PBR will be problematic.

0 Kudos
rdevarak
Employee
Employee

It can only be done in hairpin topology (LIG - Legal Interception Gateway) with another peer FW. May be with VSX but it is an interesting scenario to explore it further.

0 Kudos
emmap
Employee
Employee

Out of curiosity, what's the use-case for performing security decisions after the outbound routing? 

0 Kudos
Garrett_DirSec
Advisor

Hello @emmap -- great question. 

customer has various use-case scenarios where one of three uplinks would be used. 

when the traffic is from end-user, the requirement is to enforce URLF on traffic, regardless of PBR/PBF decision.

thanks -GA 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events