- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Re: Routing processing order (VPN, PBR, Routing Ta...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Routing processing order (VPN, PBR, Routing Table)
Hi,
I would like to know the order of processing routes in a security gateway.
Main purpose is to apply PBR rules on traffic that decrypted from site to site VPN or from VPN Routing. is this possible?
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whole GW
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you elaborate of the use case?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let's say we have two sites connected through a GW cluster each site, both managed by the same Security Management.
VPN FWs are connected (via switch) to Core FW (which acts as the default gateway in the network) at each site
VPN FWs are also directly connected to each segment in the network to reduce traffic on Core FW
traffic between VPN domains in this case is going through asymmetric paths and it makes applications go slow (or even not work)
I would like to force traffic between VPN domains to be routed to the Core FW regardless of directly connected subnets in the system routing table
I hope this was clear because I know it's not a usual use-case.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, that makes sense. Unfortunately, you cannot do PBR and VPN on the same box. What is feasible is breaking VPN tunnel on another device and then send traffic to PBR box. You can actually achieve this with VSX.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyhow,
Here is a quote from https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
The following features/blades are not supported with PBR:
- IPv6
- URL Filtering
- IPS
- Locally-generated traffic
- Security Servers
- Data Loss Prevention (DLP) blade
- VPN Domain Based
- VPN Route Based
- Anti-Spam blade
- Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
- ISP Redundancy
- The following applications (which use Check Point Active Streaming [CPAS]):
- VoIP (H323, SIP, Skinny, etc.)
- HTTPS Inspection
- HTTP Header Spoofing
- HTTP Proxy
- IMAP in IPS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Val,
do the restrictions to PBR just hit the networks/IP-Range/IF touched by PBR or have these restrictions impact to the whole gateway?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whole GW
