Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
CP-NDA
Collaborator

ISP Redundancy & Policy Based Routing

Hi,

I'm wondering if someone knows why ISP Redundancy & PBR are not compatible ?

We did some tests and arrive at the conclusion that for unknown reason some traffic is at the end not sent to the correct gateway...

Does someone know the reason why it's failing? I'm not asking a confirmation or RFE but just trying to understand the root cause...

Beside is there any plan to support both features at the same time?

Thank you

Best regards

Nicolas

11 Replies
Marco_Valenti
Advisor

it is that you want to achieve?

Configuring ISP Redundancy so that certain traffic uses specific ISP Link 

Last time I have checked isp redundancy and pbr were not supported togheter but not 100% sure on that maybe someone from check point could confirm or denied it

0 Kudos
CP-NDA
Collaborator

Hi,

No in fact we are already using ISP redundancy to load-balance traffic on 2 ISP...

Beside we would like to force Guests traffic (specific IP source range) to another line... That's why we tried to combine ISP redundancy + PBR even if we were aware that both are not supported

Today we are trying to understand why both feature are mutually exclusive

0 Kudos
Marco_Valenti
Advisor

basically is what is stated in the sk you can force a subnet to use a link

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This limitation is stated clearly in sk100500: Policy-Based Routing (PBR) on Gaia OS:

The following features/blades are not supported with PBR:

  • IPv6
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
G_W_Albrecht
Legend Legend
Legend

Why both features are mutually exclusive is rather obvious to me - PBR routes traffic based on rules, ISP load sharing routes it based on the current load...

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CP-NDA
Collaborator

Hi,

Yes that's really strange as we don't see any link between both features if we only focus our rules on Source IP address...

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You have to understand that the two work at different levels: PBR is defined in OS (eg GAiA) as Advanced Routing, while ISP Redundancy / LS is handled by the FW blade.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
CP-NDA
Collaborator

Günther, fully correct but still difficult to understand why it's even ISP or PBR...

For 2 independent subnets that shouldn't be a problem but I confirm it's not working...

We have an open discussion with TAC and if a understable reason is received I will share it here

0 Kudos
Gomboragchaa
Advisor

Too much limitations on network features. PBR is very important feature using dual ISP.

But it doesn't support......

0 Kudos
G_W_Albrecht
Legend Legend
Legend

You can always issue an RFE in Products and Feature Suggestions.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
Rade_Bebek
Participant

I have two ISP link and use PBR for separation.

First network SRC: 192.168.100.x go to ISP1

Second network SRC: 192.168.101.x go to ISP2

I want that host in 101.x go to internet over ISP1 when ISP2 is broken.

I set on PBR for ISP2 table two gateway (Fisrt gateway ISP2 with priority 1, second ISP1 with priority 2) but cant switch automatically.

Can I make this over PBR, or I must use ISP Redundancy , or combination PBR and Redundancy? 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events