Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
MaheshCheck
Explorer

unable to access internal server application via webbrowser after creating the policy based rules

Dear ALl,

from USER VLAN unable to access internal server application via webbrowser after creating the policy based rules for sending the internet traffic 80 & 443 towards

ping ,tracert and telnet are working to that internal server IP but unable to access that application via browser

Please help me anyone.

 

0 Kudos
12 Replies
PhoneBoy
Admin
Admin

What is the precise behavior in the web browser?
What is shown in the logs?
What version/JHF is the gateway?
What exact configuration was done?
A simple network diagram and screenshots will be helpful.

0 Kudos
MaheshCheck
Explorer

What is the precise behavior in the web browser?-Error The site is took loong to respon
What is shown in the logs?-Attached
What version/JHF is the gateway?-R81.20
What exact configuration was done?-I wanted to inform you that users have started facing issues after configuring policy-based routing for directing internet traffic (services 80 & 443) towards Zscaler via the configured GRE tunnel(This is only internet traffic).Which was worked before configuring policy routes 


A simple network diagram and screenshots will be helpful.-attached(BFW & FFW both are checkpoint firewalls)

0 Kudos
emmap
Employee
Employee

Your network diagram doesn't show the Zscalers, do the gateways have an interface in the subnet that your PBR gateways reside in?

0 Kudos
MaheshCheck
Explorer

Thanks for the reply

 

I have attached screenshot of GRE interface

0 Kudos
emmap
Employee
Employee

Have you done some tcpdumps on the interfaces involved to see the packets to/from the gateway?

0 Kudos
MaheshCheck
Explorer

I did not take any TCP dumps, but since it's local traffic, I believe the PBR rule should not be impacting it.

0 Kudos
emmap
Employee
Employee

The PBR rule will send all port 80/443 traffic to the ZScaler, from what I can tell there. Is that not what you want?

0 Kudos
MaheshCheck
Explorer

From 10.10.20.199 is unable to access 10.13.1.209 on 443 service .Earliar its worked befor policy route configuration and both the subnet are from firewalls only .see attached network diagram

0 Kudos
PhoneBoy
Admin
Admin

Sounds like you need to adjust your policy route to be more specific for the traffic you want to redirect over GRE.
Specify the sources and destinations (not just "any").
Currently, it appears ALL 80/443 traffic will go through this tunnel...which is probably not what you want in this case.

0 Kudos
MaheshCheck
Explorer

We configured above PBR for routing all internet traffic (services 80 & 443) towards Zscaler Via GRE Tunnel

Could you please how do i create PBR for routing the traffic towards 10.13.1.209 as per the below information

The front firewall and back firewall are connected back-to-back in the 10.13.1.0/24 network, with the following details:

 

Front Firewall IP: 10.13.1.106

Back Firewall IP: 10.13.1.254

Server IP: 10.13.1.209

All three devices are on the same network

 

attached network diagram for reference

 

0 Kudos
PhoneBoy
Admin
Admin

To do that, I need to know exactly how the PBR routes that exist are currently configured.

0 Kudos
AmirArama
Employee
Employee

you just need to have upper PBR rules (lower number) to match by destination of the internal private IP ranges you use in your networks, and set the action to be Main table.

that way traffic directed to internal networks will use the main routing table, and other 80/443 that didn't match the upper rules, will go by the rule you currently have.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events