Hp policy based routing example

This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.

• CheckFlix
• CheckMates Go Cyber Security Podcast
• Check Point for Beginners
• Check Point Trivia
• Cyber Talk
• Incident Response
• LGPD
• ReelTalk
• Tip Of The Week
• Training and Certification
• ATC Trainers
• CCSM
• CheckMates Labs
• TechTalks
• CCSM Elite

• Products
  • Quantum (Secure the Network)
    • IoT Protect
    • Maestro
    • Management
    • OpenTelemetry/Skyline
    • Remote Access VPN
    • SD-WAN
    • Security Gateways
    • SmartMove
    • Smart-1 Cloud
    • SMB Gateways (Spark)
    • Threat Prevention
    • CNAPP
    • Cloud Network Security
    • CloudGuard - WAF
    • CloudMates General
    • Talking Cloud Podcast
    • Browse
    • Connect
    • Email and Collaboration
    • Endpoint
    • Mobile
    • SASE
    • SaaS
    • Events
    • NDR
    • Playblocks
    • SOC
    • XDR/XPR
    • Ansible
    • API / CLI Discussion
    • DevSecOps
    • CheckFlix
    • CheckMates Go Cyber Security Podcast
    • Check Point for Beginners
    • Check Point Trivia
    • Cyber Talk
    • Incident Response
    • LGPD
    • ReelTalk
    • Tip Of The Week
    • Training and Certification
    • ATC Trainers
    • CCSM
    • CheckMates Labs
    • TechTalks
    • CCSM Elite
    • Upcoming Events
    • Americas
      • Brazil
      • Canada
      • The Caribbean
      • Central US
      • Eastern US
      • Latin America
      • Mid-Atlantic US
      • Pacific Northwest
      • Southeast US
      • US Federal
      • Western US
      • Czech Republic and Slovakia
      • Denmark
      • Netherlands
      • Germany
      • Sweden
      • United Kingdom and Ireland
      • France
      • Spain
      • Norway
      • Ukraine
      • Baltics and Finland
      • Greece
      • Portugal
      • Austria
      • Kazakhstan and CIS
      • Switzerland
      • Romania
      • Turkey
      • Belarus
      • Belgium & Luxembourg
      • Russia
      • Poland
      • Georgia
      • DACH - Germany, Austria and Switzerland
      • Iberia
      • Africa
      • Adriatics Region
      • Eastern Africa
      • Israel
      • Nordics
      • Middle East and Africa
      • Balkans
      • Italy
      • Korea
      • Mongolia
      • Bangalore
      • Greater China
      • Australia/New Zealand
      • Philippines
      • Japan
      • Singapore
      • India
      • Thailand
      • Taiwan
      • Hong Kong
      • Indonesia
      • Welcome Partners!
      • Non-English Discussions
        • Español
        • Français
        • Português
        • Russian
        • Chinese 中文
        • Japanese 日本語
        • Exclusive Content
        • CPX 2024 Content
        • R8x Training Videos
        • Recent Messages
        • Recent Threads
        • How-To Video Contest
        • CheckMates Everywhere 5th Birthday
        • Paradigm Shifts: Adventures Unleashed​
        • Toolbox Contest 2024
        • Careers at Check Point
        • The CheckMates Blog
        • Threat Intelligence Reports
        • Cyber Talk Cyber Security Insights
        • About CheckMates & FAQ
        • Community Guidelines

        Keep Your Networking Peers Happy
        With Secure SD-WAN
        

        Secure the GenAI Revolution!
        The All-New GenAI Security from Check Point
        

        Forwarding Events to 3rd-party SIEM
        Help us with the Short-Term Roadmap
        

        Mastering Endpoint Security -
        Best Practices for 2024
        

        CheckMates Toolbox Contest 2024
        Make Your Submission for a Chance to WIN up to $300 Gift Card!
        

        CheckMates Go:
        Recently on CheckMates
        

        Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

        Showing results for Search instead for Did you mean:
        • CheckMates
        • :
        • Products
        • :
        • General Topics
        • :
        • Policy Based Routing and default route / features
        • Subscribe to RSS Feed
        • Mark Topic as New
        • Mark Topic as Read
        • Float this Topic for Current User
        • Bookmark
        • Subscribe
        • Mute
        • Printer Friendly Page

        Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.

        Showing results for Search instead for Did you mean:

        Are you a member of CheckMates?

        Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!

        ‎2018-07-10 09:09 AM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content
        Policy Based Routing and default route / features

        just some questions regarding policy based routing.

        We have defined a default IPv4 static route in GAIA that points to an IP address of our router.
        Now I have configured a new network that needs its default route to point to a different IP address.

        Policy based routing is not yet configured, only static IPv4 routes.
        The idea was to configure PBR the following way:
        1) Create an Action Table with the option "Default Route" ticked and the different router IP address.
        2) Create a Policy table with the new network as matching criteria.

        Now I have the following questions:

        a) Will the newly created PBR default route conflict with my default static IPv4 route for all my other networks?
        I do not want end up with all my other networks using the default route defined in PBR. only the new network.

        b) The PBR sk article states that some features are not supported with PBR like: Anti Spam Blade, Mail Transfer Agent.
        Is it possible to configure PBR and continue to use these features with all the networks that use IPv4 static routing?
        If I understand this statement right then this features are only not available for the PBR routed networks and will continue to work fine with all my other networks, is that correct?

        Thanks and best regards
        Raphael

        • All forum topics
        • Previous Topic
        • Next Topic

        HeikoAnkenbrand

        ‎2018-07-10 12:19 PM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content

        I don't understand your problem in detail.

        You can control the PBR routes according to „policy rules“. So you can make sure that the default route is changed or not changed. It all depends on the policy rules.

        Further information can be found in the following SK100500:

        ➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

        

        ‎2018-07-12 07:25 AM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content

        Only the networks being matched in the PBR configuration will be affected. Similar to an ACL or route-map, there's a default "deny" meaning "no match" at the end.

        

        Contributor ‎2018-07-13 08:55 AM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content

        in my little experiance with PBR and default route, for the subnet included in the table, I had to create additional action for internal routing between subnet directly connected to the same gateway.

        In detail in a scenario where subnet A, B, C are connected to the same gateway and for the subnet C I create a PBR with default route, I have to create the PBR to route from C to A by interface A and from C to B by interface B.

        

        ‎2018-07-13 11:05 AM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content

        If you do want Subnet C to communicate with Subnets A and B, then you will need to make a policy match rule for that to allow it.

        set pbr table SubnetC_to_A static-route default nexthop gateway address A.1.1.1 priority 1

        set pbr table SubnetC_to_B static-route default nexthop gateway address B.1.1.1 priority 1

        set pbr table SubnetC_default static-route default nexthop gateway address Z.1.1.1 priority 1

        set pbr rule priority 1 match from C.1.1.0/24 to A.1.1.0/24 interface ethC

        set pbr rule priority 1 action table SubnetC_to_A

        set pbr rule priority 2 match from C.1.1.0/24 to B.1.1.0/24 interface ethC

        set pbr rule priority 2 action table SubnetC_to_B

        set pbr rule priority 3 match interface ethC

        set pbr rule priority 3 action table SubnetC_default

        

        ‎2018-07-13 06:34 PM
        • Mark as New
        • Bookmark
        • Subscribe
        • Mute
        • Subscribe to RSS Feed
        • Permalink
        • Print
        • Report Inappropriate Content

        Gianluca & Duane are correct in that you would need PBR policy rules for routes to other internal (Non-Default) routes.

        I'd like to help reinforce the thought process when managing a PBR policy in R77.x with the following explanation I used to give to my engineers (Not sure if same in R80, but would assume so).

        Once a source packet matches a PBR rule; it enters the PBR territory and NEVER leaves PBR territory! The moment you define a source network to match in PBR, then ANYTHING coming from that network will bypass the normal routing kernel and only look at PBR policy rules.

        We had to replicate an entire "normal" routing table (~120 routes) into PBR rules to allow internal connectivity to continue. And route changes occurred weekly as we on-boarded new branch offices. It was a NIGHTMARE to manage on an internal/segmentation firewall with all these routes that handfuls of engineers had access to work on and troubleshoot. If you have a simple "normal" kernel routing table that doesn't change often, then it's really not that bad to adjust to some PBR.

        Also keep in mind that if any route change is needed for some reason..you'd need to apply it to both normal static route table, AND the PBR table if the route is applicable to both.