It all comes from something customer asked before holidays...how they could send specific traffic through 2nd isp line, but everything else through active one.

My statement had nothing to do with your specific use case 🙂 

PBR is a standard Linux feature implemented in the Linux Kernel.
ISP Redundancy is a Check Point specific feature.
It's similar to how VPN Routing works for Domain-based VPNs whereby the firewall/VPN routes traffic without consulting the OS routing table.

Put it this way 🙂

Its also about cost, they would prefer not to pay for sd-wan license, unless they have to.

I have a couple of setups which use PBR to achieve something similar to ISP redundancy. Somewhere in the SK (my apologies for the vagueness, it's 00:40 right now 🙃) there is a claim that PBR and ISPR are mutually exclusive. So these 2 setups are only with PBRs. 2 tables - prefer_ISP_A and prefer_ISP_B, with the respective default gateway, but 2nd preference the other ISP's DG. Then I have probing/BFD create the ISP failover. Then in the PBR rules you refer to your preferred table according to the requirement (usually guests get routed via the worse ISP).

There is also this SK which I never got around to test, PBR which is tied to a firewall rule (which can in turn refer to, say, M365 and Teams). Called Application-Based Routing: https://support.checkpoint.com/results/sk/sk167135

Hey Steven

Thanks for responding! Here is the use case:

A customer has ISP redundancy configured (ISP-A and ISP-B) and they want to force an internal VLAN to use ISP-B unless there's a failure

Im fairly sure this is ONLY possible with sd-wan...thoughts?

Depends on the exact scenario. But yes, you can have a PBR configuration which says something link this:

Table prefer_ISP_B, with just the default route with preference ISP_B, next preference ISP_A

Then a PBR rule which says: if src== network_X, use table prefer_ISP_B

(else if src== anything else, it does not hit any PBR rule, so it defaults to the main routing table, which has the default route towards ISP_A).

If ISP_B fails, you would have probing/BFD, which then changes the default route of the prefer_ISP_B table to ISP_A's DG.

Depends on the exact scenarios and with ECMP (and if ECMP is supported with PBR), you might manage to achieve a lot more (never-before-tested by me).

(PS: Now that I write this up, I guess it's a matter of investing in an SD-WAN license vs investing in someone to test, configure and maintain such a setup with PBR, BFD, ECMP, oh my!).

Right, thats all great, but again, since they use ISP redundancy, pbr wont work.

I believe you're right yes - you would need to migrate to a PBR-only configuration.

Makes sense.

Yes, you can meet this requirement solely with PBR.

But would not work though since they use isp redundancy, am I wrong?

Right, you'd implement this entirely in PBR and NOT use ISPR.

Got it, thanks!

I see what you are saying, word solely explains it : - )

Hi!
I also tried to solve this problem.
The following workaround helped me in several projects - it worked for the 81.20 HA cluster. The article describes the settings that allow you to set up a "fault-tolerant ISP" without activating ISP Redundancy.  
Since you haven't activated IPS Redundancy, you don't have any conflicts with PBR either.
It's not supported by TAC, but I hope it can help you 😊

Thank you, but not something that would work for a customer, as ISPR is a requirement.

Properly configured PBR can meet the same requirement (failing over an ISP connection) as the ISP Redundancy feature.
If a VPN is terminating on the gateway, you might need ISPR, though with enhanced link selection in R82, that may not even be required any longer.