Create a Post
Showing results for 
Search instead for 
Did you mean: 

Policy Based Routing (PBR) and Domain vpn

Policy Based Routing sk100500 just shortly states that PBR cannot be used with Domain vpn. If I use PBR just for a certain network, am I able to use Domain vpn with other networks or how does it affect Domain vpn?

My other problem is that we have 2 ISPs and some networks need to be routed via ISP1 and some via ISP2. I currently have many s2s domain vpns via ISP1 and at some point would like to start moving them one-by-one to ISP2, but if PBR doesn't work with domain vpn, I don't see a way to do this with one Gateway cluster? If I remove PBR, either the ISP1 or ISP2 owned network will route wrong with static routes.


0 Kudos
1 Reply

This is not true - what the SK states is that:

  • The following features/blades are not supported with PBR:
    • IPv6
    • URL Filtering
    • IPS
    • Locally-generated traffic
    • Security Servers
    • Data Loss Prevention (DLP) blade
    • VPN Domain Based
    • VPN Route Based
    • Anti-Spam blade
    • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
    • ISP Redundancy
    • The following applications (which use Check Point Active Streaming [CPAS]):
      • VoIP (H323, SIP, Skinny, etc.)
      • HTTPS Inspection
      • HTTP Header Spoofing
      • HTTP Proxy
      • IMAP in IPS

So you can not use PBR just for a certain network and use Domain vpn with other networks. But you can mix VPN Domain Based and VPN Route Based, see sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway!

CCSE CCTE SMB Specialist