Solved: Re: PBR road-map and URLF/Identity requirements (...

Garrett_DirSec · ‎2022-11-02

Hello-- larger existing CP customer testing Policy-based Routing (aka "PBR") and disappointed on current incantation.

Based on sk100500, it appears that PBR operates at layer4 and currently can't make any decisions based on upper layers -- nor can higher level blades features be applied to traffic AFTER a PBR decision.

Customer would like to do the following. Both not possible today.

make PBR decision based on identity
apply URLF policy to traffic following PBR decision.

Any road-map, work-arounds, or insight would be appreciated. Thanks -GA

reference Policy-based Routing -- SK100500

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

excerpts:

Routing and Firewall Processing

It is important to note that routing tables, including PBR tables, are checked after firewall processing is complete.
This means that in situations such as NAT, routing rules are checked against the original source address (refer to sk101562).

The following features/blades are not supported with PBR:

<basically... everything>

rdevarak · ‎2022-11-02

Hello @Wolfgang - thanks for pointing out the right sk (sk167135).

@Garrett_DirSec : PBR/ABR does support identity rules. Please contact me directly for further help.

-Raghu

View solution in original post

Wolfgang · ‎2022-11-02

@Garrett_DirSec do you know Policy-Based Routing and Application-Based Routing in Gaia.

New features allowing PBR based on applications.

Garrett_DirSec · ‎2022-11-02

Hello @Wolfgang -- thanks for your msg and post. I was not aware of this SK. I will post feedback on Sk100500 to reference the newer sk167135.

While the addition of application to decision logic, this doesn't address customer requirements to operate based on identity and apply URLF to traffic post-decision.

Sincere thanks for the insight. I hope it comes in handy in future. -GA

rdevarak · ‎2022-11-02

Hello @Wolfgang - thanks for pointing out the right sk (sk167135).

@Garrett_DirSec : PBR/ABR does support identity rules. Please contact me directly for further help.

-Raghu

Wolfgang · ‎2022-11-02

In addition to @rdevarak snip from sk167135 for support of identities:

The purpose of extending the basic PBR rule criteria to include Firewall rule is to enable users to match on configured Firewall rules and forward traffic accordingly. This extension of PBR functionality forwards the traffic based on application, service, users, time, location, and many more, as supported by FW rules.

But as you mentioned, applying rules after PBR will be problematic.

rdevarak · ‎2022-11-03

It can only be done in hairpin topology (LIG - Legal Interception Gateway) with another peer FW. May be with VSX but it is an interesting scenario to explore it further.

emmap · ‎2022-11-03

Out of curiosity, what's the use-case for performing security decisions after the outbound routing?

Garrett_DirSec · ‎2022-11-03

Hello @emmap -- great question.

customer has various use-case scenarios where one of three uplinks would be used.

when the traffic is from end-user, the requirement is to enforce URLF on traffic, regardless of PBR/PBF decision.

thanks -GA

Are you a member of CheckMates?

PBR road-map and URLF/Identity requirements (policy-based routing)