This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
51ce833e-a8ec-4
Participant
‎2020-04-07 12:08 AM
Jump to solution

Routing processing order (VPN, PBR, Routing Table)

Hi,

I would like to know the order of processing routes in a security gateway.

 

Main purpose is to apply PBR rules on traffic that decrypted from site to site VPN or from VPN Routing. is this possible?

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2020-04-07 01:28 AM
In response to 51ce833e-a8ec-4
Jump to solution

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

View solution in original post

7 Replies
_Val_
Admin
Admin
‎2020-04-07 12:49 AM
Jump to solution

Can you elaborate of the use case?

0 Kudos
51ce833e-a8ec-4
Participant
‎2020-04-07 01:17 AM
In response to _Val_
Jump to solution

I'm trying to implement site to site VPN and avoid asymmetric routing.
Let's say we have two sites connected through a GW cluster each site, both managed by the same Security Management.

VPN FWs are connected (via switch) to Core FW (which acts as the default gateway in the network) at each site

VPN FWs are also directly connected to each segment in the network to reduce traffic on Core FW

traffic between VPN domains in this case is going through asymmetric paths and it makes applications go slow (or even not work)

I would like to force traffic between VPN domains to be routed to the Core FW regardless of directly connected subnets in the system routing table

I hope this was clear because I know it's not a usual use-case.
0 Kudos
_Val_
Admin
Admin
‎2020-04-07 01:28 AM
In response to 51ce833e-a8ec-4
Jump to solution

Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX. 

51ce833e-a8ec-4
Participant
‎2020-04-07 01:30 AM
In response to _Val_
Jump to solution

Thank you very much !
0 Kudos
_Val_
Admin
Admin
‎2020-04-07 12:52 AM
Jump to solution

Anyhow,

 

Here is a quote from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

The following features/blades are not supported with PBR:

  • IPv6
  • URL Filtering
  • IPS
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS
r31N3r
Participant
‎2020-10-02 03:39 AM
In response to _Val_
Jump to solution

Hello Val,

do the restrictions to PBR just hit the networks/IP-Range/IF touched by PBR or have these restrictions impact to the whole gateway?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top