Policy Based Routing

[Kubann]

Hi there

How does one configure the checkpoint firewall to route for eg smtp traffic out to a certain interface only.

I know Checkpoint on the rule base has only permit , deny , traffic classification.

But there is no where, to specify on what interface the traffic should go out or come in

Please help

[northlandboy]

Check Point doesn't do (or really care about) routing.

That's up to the OS. Check Point enforces policy in terms of what is allowed, not how to route it.

You'll need to look into what's possible with whatever OS your firewall is running on.

[membree]

Policy routing based on source IP can be done on SmartPlatform, however, Check Point provide no support for doing this so you need to figure out how from Linux documentation and manually issue the appropriate commands in rc.local.

Any policy routing that would require tagged packets is not possible on SPLAT because NetFilter is not installed.

[packnet]

I've asked about this on Nokia IPSO and was told that it wasn't supported - by IP address, so I would assume that it certainly wouldn't do so based on protocol.

If you're trying to get SMTP to route one direction, you might put a relay server in a DMZ and have your internal SMTP servers point to it. Just a thought, this might not cover what you're trying to do.

[linuxsrc]

If your platform is Linux (including Crossbeam/Resilience/SecurePlatform/Redhat...), you can do whatever you want, for Linux support advaned routing, so you can configure the Policy-Based routing using 'ip rule' and 'ip route', good luck!

[rayden69]

The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic.

on the Original Packet Side:

Source: the network, group or host
Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this)
Service: SMTP (TCP 25)

Translated Packet Side:

Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out)
Destination: any
Service: SMTP

After that you will need a rule allowing traffic outbound

you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above.

If you this isn't clear enough please let me know and I can give examples!

[northlandboy]

Quote:

Originally Posted by rayden69

The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic.

on the Original Packet Side:

Source: the network, group or host
Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this)
Service: SMTP (TCP 25)

Translated Packet Side:

Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out)
Destination: any
Service: SMTP

After that you will need a rule allowing traffic outbound

you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above.

If you this isn't clear enough please let me know and I can give examples!

Can you explain how this will work? I can source NAT something to anything I want to, but that isn't going to control how the OS will route it. If you implement that NAT, it will still get routed out whatever interface is the default. This will only change the behaviour of where reply packets go to. You are then in an asymmetric routing situation, which will probably work if they are simple routers outside the firewall, but it becomes a pain after a while, especially for troubleshooting.

[rayden69]

you are correct, you will either need to at a static route for the host (mail server) or add 2 equal cost default routes out if you are hiding networks.
Through use of NAT you can get the traffic to route back correctly.

In our case we use dynamic routing (OSPF) between the border routers and the nokia firewalls in area 2 and OSPF internal as well internal in backbone area 0

Although your internal routing table can either be static as well.

[northlandboy]

equal cost default routes is going to do load sharing for all traffic - it's not going to achieve the stated goal of routing SMTP traffic via one interface only.

If you want to ensure certain traffic doesn't swamp other traffic, it's probably better to achieve it with a traffic management solution - e.g Packeteer, Floodgate.

[rayden69]

I should add we also use floodgate as well however depending on your licenses this may/may not already be available to you.