Policy Based Routing

[Kubann]

Hi there

How does one configure the checkpoint firewall to route for eg smtp traffic out to a certain interface only.

I know Checkpoint on the rule base has only permit , deny , traffic classification.

But there is no where, to specify on what interface the traffic should go out or come in

Please help

[northlandboy]

Check Point doesn't do (or really care about) routing.

That's up to the OS. Check Point enforces policy in terms of what is allowed, not how to route it.

You'll need to look into what's possible with whatever OS your firewall is running on.

[membree]

Policy routing based on source IP can be done on SmartPlatform, however, Check Point provide no support for doing this so you need to figure out how from Linux documentation and manually issue the appropriate commands in rc.local.

Any policy routing that would require tagged packets is not possible on SPLAT because NetFilter is not installed.

[packnet]

I've asked about this on Nokia IPSO and was told that it wasn't supported - by IP address, so I would assume that it certainly wouldn't do so based on protocol.

If you're trying to get SMTP to route one direction, you might put a relay server in a DMZ and have your internal SMTP servers point to it. Just a thought, this might not cover what you're trying to do.

[linuxsrc]

If your platform is Linux (including Crossbeam/Resilience/SecurePlatform/Redhat...), you can do whatever you want, for Linux support advaned routing, so you can configure the Policy-Based routing using 'ip rule' and 'ip route', good luck!

[rayden69]

The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic.

on the Original Packet Side:

Source: the network, group or host
Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this)
Service: SMTP (TCP 25)

Translated Packet Side:

Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out)
Destination: any
Service: SMTP

After that you will need a rule allowing traffic outbound

you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above.

If you this isn't clear enough please let me know and I can give examples!

[northlandboy]

Quote:

Originally Posted by rayden69

The way to do this is with the use of all of the policy including NAT and a little bit of what is called in the Cisco world PAT. Since you are only asking tcp port 25 (SMTP) to go out the other interface you will need to set up a NAT rule before you overload traffic.

on the Original Packet Side:

Source: the network, group or host
Destination: you can set as any (if you do this you may need to build a no nat between your own networks rule prior to this)
Service: SMTP (TCP 25)

Translated Packet Side:

Source: the ip nat ip you want all smtp traffic coming from (has to be on the inteface side you want traffic to go out)
Destination: any
Service: SMTP

After that you will need a rule allowing traffic outbound

you will then most likely want to reverse this for incoming traffic and set your mx to the nat ip you specified above.

If you this isn't clear enough please let me know and I can give examples!

Can you explain how this will work? I can source NAT something to anything I want to, but that isn't going to control how the OS will route it. If you implement that NAT, it will still get routed out whatever interface is the default. This will only change the behaviour of where reply packets go to. You are then in an asymmetric routing situation, which will probably work if they are simple routers outside the firewall, but it becomes a pain after a while, especially for troubleshooting.

[rayden69]

you are correct, you will either need to at a static route for the host (mail server) or add 2 equal cost default routes out if you are hiding networks.
Through use of NAT you can get the traffic to route back correctly.

In our case we use dynamic routing (OSPF) between the border routers and the nokia firewalls in area 2 and OSPF internal as well internal in backbone area 0

Although your internal routing table can either be static as well.

[northlandboy]

equal cost default routes is going to do load sharing for all traffic - it's not going to achieve the stated goal of routing SMTP traffic via one interface only.

If you want to ensure certain traffic doesn't swamp other traffic, it's probably better to achieve it with a traffic management solution - e.g Packeteer, Floodgate.

[rayden69]

I should add we also use floodgate as well however depending on your licenses this may/may not already be available to you.

[hansen68]

U need source based routing either on the firewall or u can use a router between Firewall and internet that can deal with that.
If u use linux/SPLAT/UTM heres a way to get it done.
Not written by me, but i tested it and it works.

RouterA || RouterB
1.1.1.2 || 1.1.1.3
||
Fw-ext-ip(1.1.1.1)
Firewall==================DMZ(192.168.0.0/24)
Fw-int-ip(10.0.0.1/24)

We assume that the default gw to RouterA.
route add default gw 1.1.1.2

Now we will define policy based routing. We need to define a Table ID and an alias for it.

Defining Alias:
=================
Edit /etc/iproute2/rt_tables file. As you see below we have added ID 23 to alias adsl.

#more rt_tables
#
# reserved values
#
#255 local
#254 main
#253 default
#0 unspec
#
# local
#
#1 inr.ruhep
23 adsl


You may use below command for this:
#echo 23 adsl >> /etc/iproute2/rt_tables

Then we will specify which source ip address will be use this table:
#ip rule add from 10.0.0.5/24 table adsl (all lan IPs will use this table)

Lets specify this adsl table's default gateway to RouterB
#ip route add default via 1.1.1.3 dev eth0 table adsl

We have to add following rule in order to give access from 10.0.0.x to the dmz
#ip route add 192.168.0.0/24 dev eth2 table adsl

To activate changes type following
#ip route flush cache

After reboot things we made will not be remain. We have to add all the commands to rc.local file to make changes permenant after reboot.


ip rule add from 10.0.0.0/24 table adsl
ip route add default via 1.1.1.3 dev eth0 table adsl
ip route add 192.168.0.0/24 dev eth2 table adsl
ip route flush cache

[plamy]

Quote:

Originally Posted by packnet

I've asked about this on Nokia IPSO and was told that it wasn't supported - by IP address, so I would assume that it certainly wouldn't do so based on protocol.

If you're trying to get SMTP to route one direction, you might put a relay server in a DMZ and have your internal SMTP servers point to it. Just a thought, this might not cover what you're trying to do.

Policy based routing on IPSO was introduced in IPSO 4.2 b 69. You would be able to send all SMTP traffic out a particular interface if you wanted to. It is always recommended to run the latest version of IPSO, for example there is a PBR/SXL fix in IPSO 4.2 b 105.

-Pierre

[alain_B72]

Hello,

as anyone a good pointer where to find doc to start configuring PBR ? we are thinking of on a ip390 4.2 flash box.

Thx

[hotice_]

Has anyone been able to implement this with R70?

Seems simple but was unable to make this work

[accesslimiter]

I have this working on R70.2, I do know ISP redundancy, url filtering, antivirus and performance pack break it.