This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
VolkerM
Explorer
‎2020-12-22 09:23 AM

Problem with Policy Based Routing

Hello there,

I'm currently helping out a company and facing an issue with Policy Based Routing and/or possibly Threat Emulation.
I knew the configuration from about 2 years ago, when everything was on R77.30 and working without any problems.
About one year ago they migration from R77.30 to R80.20 and bought new firewall models.

After the migration they got trouble with Policy Based Routing.
They've got two internet uplinks. The primary/default link is a professional one with a professional router and static ip addresses.
There are using 5 static ips (released with the Proxy ARP feature). This professional uplink has a limited bandwidth and normally is
only used for different kind of server services and VPN.
The "client" internet connection is/should be released with the second uplink which has a non professional/consumer router with
dynamic ip addresses and a lot more bandwidth. There is a proxy (Squid) for these kind of connections.

I don't know what they changed or if anything related to this configration is unsupported in R80.20, but it is not working anymore.
They have trouble downloading larger files. The downloads start and at some point they simple go to 0 kbit/s and stay stalled.
I also recognized that the cluster, which is also using the proxy to download the latest threat prevention updates aso., is showing
a warning to check the internet connection.
I changed the Threat Emulation connection handling to background, but the issue is still there.
If I switch the translated source in the NAT rules to the first ISP everything is working fine again (which is the workaround since one year!).

Maybe I missed something, but I'm a bit out of Checkpoint administrative practice.

 

The configuration is as follows:


2 Gateways (Gaia / ClusterXL):

R80.20 Take 18 (GWs)
R80.20 Take 101 (Management)


Network objects:
WAN2 = 192.168.178.100
Proxy_DMZ = 192.168.160.80
SomeServer_DMZ = 192.168.160.111


Relevant interfaces:

-Interface eth2 (first ISP - DEFAULT Route)
linked to another ISP router

-Interface eth3 (second ISP - specific hosts should use):
Virtual IP: 192.168.178.100/24
Member IP GW1: 192.168.178.101/24
Member IP GW2: 192.168.178.102/24

-Interface eth4 (DMZ Network):
Virtual IP: 192.168.160.250
Member IP GW1: 192.168.160.251
Member IP GW2: 192.168.160.252

 

Policy Based Routing:

-Action Tables:
---------------------------------------------------
Table / Destination / Next Hop / Gateway
---------------------------------------------------
SomeServer_DMZ / Default / Normal / 192.168.178.1
Proxy_DMZ / Default / Normal / 192.168.178.1

-Policy Rules:
--------------------------------------------------
Priority / Action / Source
--------------------------------------------------
1 / Table x: SomeServer_DMZ / 192.168.160.111/32
2 / Table y: Proxy_DMZ / 192.168.160.80/32


NAT:

-NAT Rules (Manual NAT):
----------------------------------------------------------------------------------------------------------
Original Source / Original Destination / Translated Source / Translated Destination / Translated Services
----------------------------------------------------------------------------------------------------------
SomeServer_DMZ / Internet / WAN2 / Orginal / Original
Proxy_DMZ / Internet / WAN2 / Original / Original


Threat Emulation:

Scope: Proxy_DMZ
Inspect incoming files from the following interfaces: External and DMZ
Connection handling: tested hold and background (hold was set)


Maybe anyone has an idea of what is going wrong here.
Thanks a lot and happy holidays! Stay safe and healthy.


Best regards,

Volker

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-12-23 12:19 PM

There’s a change in behavior from previous versions with respect to PBR routes that may be applicable here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
You’ll note this only applies up to R80.10.

Also it might be better to upgrade to a later release than R80.20 as we’ve added more functionality to PBR.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Timothy_Hall
Champion Champion
Champion
‎2020-12-23 12:51 PM
In response to PhoneBoy

Some great reading in sk167135, had no idea there was a "hidden" PBR feature that could match regular firewall policy rules and therefore apply PBR to specific applications, URL categories and users/groups.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-23 01:09 PM
In response to Timothy_Hall

Pretty sure we only tested it with Office 365 in particular but don’t see why it wouldn’t work for other apps as well.
Note that we are planning additional enhancements along these lines as well as removing some of the PBR-related limitations.

0 Kudos
VolkerM
Explorer
‎2020-12-24 05:14 AM
In response to PhoneBoy

Thank you for providing the information regarding the SKs.

Just clarifiy again: there is an external proxy between the Clients and WAN2.

Clients -- Proxy_DMZ -- WAN2 (Interface eth3)


So connections originating from that proxy should use WAN2 and not the default path for internet traffic defined in the default routing table (WAN1 / Interface eth2).
"SomeServer_DMZ" is also there using WAN2, too (without the proxy in between):

SomeServer_DMZ -- WAN2 (Interface eth3) <-- this is currently active and working as far as I can see

So I need to send all internet facing connections from Proxy_DMZ and SomeServer_DMZ to WAN2.

 

PBR summary:

show pbr summary
PBR Summary

PBR has 2 tables
PBR table SomeServer_DMZ (ID=1) has 1 route
Default route, nexthop gateway
gateway 192.168.178.1
preference 3
PBR table Proxy (ID=2) has 1 route
Default route, nexthop gateway
gateway 192.168.178.1
preference 1

PBR has 1 rule
PBR rule 3 from 192.168.160.111/32 table 1

(rule for Proxy_DMZ removed because of the issues, but was configured like "PBR rule 3")


SK101562 states that one should use the original source address. You've pointed out that the described behavior is applicable till R80.10 so it must have been a problem in R77.30 too. The installed version is R80.20, so this limitation shouldn't be there anymore.
I don't get your point. May you please tell me more detailed what I can try?

I recommend them to update to R80.40, but they have to decide that. I think if I tell them that their setup is only working with R80.40 or R81 they would go for it.

And another question arised reading the SKs for Policy Based Routing:
in SK100500 I've just read that a couple of features/blades are unsupported with PBR (URL Filtering, IPS and HTTPS Inspection etc.).
They were definitly using these three features with R77.30 along with PBR. So are these new limitations of R80.x?

Thanks.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-12-24 11:12 AM
In response to VolkerM

It may have worked in R77.30 but don’t believe PBR was ever formally supported with those blades.
There were some very significant changes to SecureXL in R80.20 that would definitely impact PBR (thus the SK I mention).
Since you’ve anonymized your IP addresses, I don’t know precisely what IPs you’re using in your routes, which is why I thought this might apply.

One thing that was added in R80.30 was the ability to use a default route for PBR routes (highly desirable for an Internet proxy, I would think).
Its achievable without this in R80.20 but it would require multiple routes to be defined.

I think your best bet here would be a TAC case.
That said, my recommendation to use a later release than R80.20 for this still stands. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events