Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Exonix
Contributor

Policy-based routing interrupts non-rule hosts

Jump to solution

Hello everyone,

we have got a very strange case. Management Server and Security Gateway (cluster) are R81.10

there is a Rule: a "host group" to "public_internet" - accept, rule number 12. Very common rule.

rule12.png

policy-based routing: if rule number is 12 - use Table 2, which routes all traffic via an interface

pbr1.png

It works, but! There are two hosts, and as long as this PBR is enabled, they cannot communicate with each other. I see that the traffic came to one firewall interface (source server is connected to this interface), but didn't leave the other (target server is connected to the second interface). The hosts are not members of the group in the Rule 12! As soon as I delete the PRB - everything works again. What is wrong and how to fix it?

The Table PRBZ is used by another PRB with other Rules - but it doesn't affect the hosts:

rule10.png

Thank you in advance.

0 Kudos
1 Solution

Accepted Solutions
Exonix
Contributor

We have adjusted rule 12. Now we only allow certain ports - it works.

 

Thank you.

View solution in original post

0 Kudos
2 Replies
Timothy_Hall
Champion
Champion

Next step will be to have the PBR rule active and then run fw ctl zdebug + drop and have the two hosts try to talk to each other that aren't working.  The drop reason given should provide a clue.

If you don't see anything related to those two hosts in the zdebug output at all it is a routing issue, try running tcpdump/cppcap and figure out where the traffic is going that is not coming out on the expected interface, it is I imagine improperly leaving on your PBR rule's interface.   Try disabling SecureXL for the two problematic hosts only with the steps in the SK below, if that still doesn't have any effect it is probably time for a TAC case.

sk104468: How to disable SecureXL for specific IP addresses

New 2021 IPS/AV/ABOT Immersion Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos
Exonix
Contributor

We have adjusted rule 12. Now we only allow certain ports - it works.

 

Thank you.

0 Kudos