This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KristofV
Collaborator
‎2023-08-25 06:35 AM

SD-WAN - traffic for connected subnets sent to internet

Setup :

Central HQ firewall, 2 ISP's
Remote firewalls (+30 clusters), all 2 ISP's

VPN structure :

  • Star VPN : Central with Remote sites
  • Full mesh between Remote sites

Goal:

Implement SDWAN on all firewalls, starting with 1 test site.

Today we configured SDWAN on 1 remote site, all good except for the incoming communication from HQ to the remote site, for some reason, this traffic was sent out to internet again on the remote firewall.

10.x.x.x - HQ
10.y.y.y - Remote site

[vs_0][fw_2] WAN:i[44]: 10.x.x.x -> 10.y.y.y (ICMP) len=84 id=17250
ICMP: type=8 code=0 echo request id=12336 seq=16
[vs_0][fw_2] WAN:I[44]: 10.x.x.x -> 10.y.y.y (ICMP) len=84 id=17250
ICMP: type=8 code=0 echo request id=12336 seq=16
[vs_0][fw_2] WAN5:o[44]: 10.x.x.x -> 10.y.y.y (ICMP) len=84 id=17250
ICMP: type=8 code=0 echo request id=12336 seq=16
[vs_0][fw_2] WAN5:O[44]: 10.x.x.x -> 10.y.y.y (ICMP) len=84 id=17250
ICMP: type=8 code=0 echo request id=12336 seq=16

I can also find this in the SDWAN logs with a steering object local-Breakout and Outgoing ISP WAN2, so the traffic is following the SD wan policy.

this behavior seems by design :

Symptom:
SD-WAN routing decision overrides my directly connected networks / Gaia OS routes on the Security Gateway.

Cause:

This is by design.

If traffic matches an SD-WAN Policy rule with the Steering Behavior "Local Breakout" or "Backhaul", then the Security Gateway sends the traffic to the selected ISP, regardless of all the other routes.

If traffic matches an SD-WAN Policy rule with the Steering Behavior "Overlay", and the traffic is not encrypted to an SD-WAN peer, then the Security Gateway sends the traffic based on the active kernel routes.

Important - Make sure only the required traffic can match the SD-WAN Policy rules, especially with the Steering Behavior "Local Breakout" or "Backhaul".

our SDWAN policy fort his site looks like this :

All_remote_sites_ENCDOM to All_remote_sites_ENCDOM -> Overlay VPN
All_remote_sites_ENCDOM to HQ_ENC_DOM -> Overlay VPN
ANY to ANY -> Local Breakout

We already rolled back, but I assume if I create a policy HQ_ENC_DOM to All_remote_sites_ENCDOM, our issue is resolved.

Question : How best to construct a SDWAN policy, the object Internet cannot be used in the destination and everything that matches a policy with local-breakout will not follow his connected routes, this also means internal traffic ?

1 Reply
KristofV
Collaborator
‎2023-09-15 06:15 AM

long story short, you have to use the SDWAN wizard, this will create your public and private objects that you can use in your policy. Without using the wizard, you don't have these objects ..

Upcoming Events

    CheckMates Events