This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MaheshCheck
Explorer
‎2024-09-17 03:00 AM

unable to access internal server application via webbrowser after creating the policy based rules

Dear ALl,

from USER VLAN unable to access internal server application via webbrowser after creating the policy based rules for sending the internet traffic 80 & 443 towards

ping ,tracert and telnet are working to that internal server IP but unable to access that application via browser

Please help me anyone.

 

0 Kudos
12 Replies
PhoneBoy
Admin
Admin
‎2024-09-17 02:31 PM

What is the precise behavior in the web browser?
What is shown in the logs?
What version/JHF is the gateway?
What exact configuration was done?
A simple network diagram and screenshots will be helpful.

0 Kudos
MaheshCheck
Explorer
‎2024-09-18 01:26 AM
In response to PhoneBoy

What is the precise behavior in the web browser?-Error The site is took loong to respon
What is shown in the logs?-Attached
What version/JHF is the gateway?-R81.20
What exact configuration was done?-I wanted to inform you that users have started facing issues after configuring policy-based routing for directing internet traffic (services 80 & 443) towards Zscaler via the configured GRE tunnel(This is only internet traffic).Which was worked before configuring policy routes 


A simple network diagram and screenshots will be helpful.-attached(BFW & FFW both are checkpoint firewalls)

Preview file
46 KB
Preview file
43 KB
Preview file
22 KB
Preview file
11 KB
Preview file
26 KB
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-09-18 02:47 AM
In response to MaheshCheck

Your network diagram doesn't show the Zscalers, do the gateways have an interface in the subnet that your PBR gateways reside in?

0 Kudos
MaheshCheck
Explorer
‎2024-09-18 02:51 AM
In response to emmap

Thanks for the reply

 

I have attached screenshot of GRE interface

Preview file
7 KB
0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-09-18 02:58 AM
In response to MaheshCheck

Have you done some tcpdumps on the interfaces involved to see the packets to/from the gateway?

0 Kudos
MaheshCheck
Explorer
‎2024-09-18 03:03 AM
In response to emmap

I did not take any TCP dumps, but since it's local traffic, I believe the PBR rule should not be impacting it.

0 Kudos
emmap
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2024-09-18 03:13 AM
In response to MaheshCheck

The PBR rule will send all port 80/443 traffic to the ZScaler, from what I can tell there. Is that not what you want?

0 Kudos
MaheshCheck
Explorer
‎2024-09-18 03:17 AM
In response to emmap

From 10.10.20.199 is unable to access 10.13.1.209 on 443 service .Earliar its worked befor policy route configuration and both the subnet are from firewalls only .see attached network diagram

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-18 10:55 AM
In response to MaheshCheck

Sounds like you need to adjust your policy route to be more specific for the traffic you want to redirect over GRE.
Specify the sources and destinations (not just "any").
Currently, it appears ALL 80/443 traffic will go through this tunnel...which is probably not what you want in this case.

0 Kudos
MaheshCheck
Explorer
‎2024-09-19 12:33 AM
In response to PhoneBoy

We configured above PBR for routing all internet traffic (services 80 & 443) towards Zscaler Via GRE Tunnel

Could you please how do i create PBR for routing the traffic towards 10.13.1.209 as per the below information

The front firewall and back firewall are connected back-to-back in the 10.13.1.0/24 network, with the following details:

 

Front Firewall IP: 10.13.1.106

Back Firewall IP: 10.13.1.254

Server IP: 10.13.1.209

All three devices are on the same network

 

attached network diagram for reference

 

Preview file
26 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-19 07:33 AM
In response to MaheshCheck

To do that, I need to know exactly how the PBR routes that exist are currently configured.

0 Kudos
AmirArama
Employee
Employee
‎2024-09-30 10:49 AM

you just need to have upper PBR rules (lower number) to match by destination of the internal private IP ranges you use in your networks, and set the action to be Main table.

that way traffic directed to internal networks will use the main routing table, and other 80/443 that didn't match the upper rules, will go by the rule you currently have.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events