Policy Based Routing (PBR) and Domain vpn

SamiH · ‎2020-01-21

Policy Based Routing sk100500 just shortly states that PBR cannot be used with Domain vpn. If I use PBR just for a certain network, am I able to use Domain vpn with other networks or how does it affect Domain vpn?

My other problem is that we have 2 ISPs and some networks need to be routed via ISP1 and some via ISP2. I currently have many s2s domain vpns via ISP1 and at some point would like to start moving them one-by-one to ISP2, but if PBR doesn't work with domain vpn, I don't see a way to do this with one Gateway cluster? If I remove PBR, either the ISP1 or ISP2 owned network will route wrong with static routes.

G_W_Albrecht · ‎2020-01-21

This is not true - what the SK states is that:

The following features/blades are not supported with PBR:
- IPv6
- URL Filtering
- IPS
- Locally-generated traffic
- Security Servers
- Data Loss Prevention (DLP) blade
- VPN Domain Based
- VPN Route Based
- Anti-Spam blade
- Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
- ISP Redundancy
- The following applications (which use Check Point Active Streaming [CPAS]):
  - VoIP (H323, SIP, Skinny, etc.)
  - HTTPS Inspection
  - HTTP Header Spoofing
  - HTTP Proxy
  - IMAP in IPS

So you can not use PBR just for a certain network and use Domain vpn with other networks. But you can mix VPN Domain Based and VPN Route Based, see sk109340: Mixing Route Based VPN with Domain Based VPN on the same Security Gateway!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Are you a member of CheckMates?

Policy Based Routing (PBR) and Domain vpn