CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: PBR Problem Behavior on 1100 and 1400 Appliances

  1. #1
    Join Date
    2018-03-01
    Posts
    2
    Rep Power
    0

    Default PBR Problem Behavior on 1100 and 1400 Appliances

    Hello all! (this is my first post at CPUG, so please excuse any wrongdoing)

    I cannot perform PBR on CP 1100 and 1400 appliances reliably! Static routes pointed at the ISP next-hop device disappear after the WAN interface bounces or is disconnected shortly.

    These are Embedded Gaia devices, centrally managed in R80.10, and running different builds of software version R77.20. ...including the latest R77.20.75.
    I am doing PBR in CLI expert mode, by using the ip route and ip rule Linux utilities.
    I use the pfrm2.0/etc/userScript file to make my PBR changes permanent, or to have them survive a reboot. This is all working great.

    I have a pretty simple setup:
    - firewall with a single external interface (single ISP) and a single internal interface
    - 2 VTIs for 2 VPN tunnels - one to HQ and the other to an Internet Proxy provider (forwarding most Internet traffic to the proxy)
    - Traffic originating at each subnet behind the firewall is routed according to a separate routing table - only static routes are used

    Sample listing of the IP rules (used to select which routing table to consult depending on where traffic comes from):

    [Expert@LKE1180]# ip rule list
    0: from all lookup local
    32763: from 10.85.235.0/24 lookup 13
    32764: from 10.75.235.0/24 lookup 3
    32765: from 10.65.235.0/24 lookup 1
    32766: from all lookup main
    32767: from all lookup default

    Sample listing of the routing table used by subnet 10.65.235.0 (table 1):

    [Expert@LKE1180]# ip route list table 1
    172.16.202.235 dev vpnt1
    10.2.2.235 dev vpnt2
    10.69.7.88/29 dev LAN1
    10.85.235.0/24 dev LAN5.13
    198.140.128.0/24 via 71.41.78.233 dev WAN
    192.168.0.0/16 via 172.16.203.254 dev vpnt1
    10.0.0.0/8 via 172.16.203.254 dev vpnt1
    default via 10.2.2.254 dev vpnt2

    After a day or two, perhaps after a random short reset of the external firewall interface (WAN), the route to 198.140.128.0/24 disappears from the configuration.
    Now the routing table used by subnet 10.65.235.0 looks like this:

    [Expert@LKE1180]# ip route list table 1
    172.16.202.235 dev vpnt1
    10.2.2.235 dev vpnt2
    10.69.7.88/29 dev LAN1
    10.85.235.0/24 dev LAN5.13
    192.168.0.0/16 via 172.16.203.254 dev vpnt1
    10.0.0.0/8 via 172.16.203.254 dev vpnt1
    default via 10.2.2.254 dev vpnt2


    Does anyone have any idea how I can preserve static routes that are dependent on an interface that happens to go up/down.
    How come when a static route (source-based) is entered via the WebGUI, we don't see the same behavior!
    I read somewhere that this is normal Linux behavior, but at the same time this is a firewall and it's not just normal Linux.

    Thank you very much!



    PS: the PBR config was generated using:

    # Generate source routing rules for each VLAN:
    #############################
    ip rule add from 10.65.235.0/24 lookup 1
    ip rule add from 10.75.235.0/24 lookup 3
    ip rule add from 10.85.235.0/24 lookup 13

    # VLAN1
    ...
    ip route add 10.85.235.0/24 dev LAN5.13 scope global table 1
    ...
    ip route add 10.0.0.0/8 via 172.16.203.254 table 1
    ...
    ip route add 198.140.128.0/24 via 71.41.78.233 table 1
    ip route add default via 10.2.2.254 table 1
    Last edited by petarpenev; 2018-03-02 at 17:01.

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: PBR Problem Behavior on 1100 and 1400 Appliances

    I havenít done pbr on a smb firewall, but my guess (and this is just a guess) is a his should be done via clish or something so that router.conf gets updated. Iíll poke around later to see if I find anything.

  3. #3
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,488
    Rep Power
    16

    Default Re: PBR Problem Behavior on 1100 and 1400 Appliances

    Making changes to the routing outside of the CLI/WebUI is not officially supported on Gaia (embedded or otherwise).
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  4. #4
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,637
    Rep Power
    9

    Default Re: PBR Problem Behavior on 1100 and 1400 Appliances

    Seems like the static-route command in clish supports PBR.

    FW750> add static-route
    destination - IP address and subnet length of the destination of the packet in the format IP/subnet. e.g. 192.168.0.0/16
    service - Route service name
    source - IP address and subnet length of the source of the packet in the format IP/subnet. e.g. 192.168.1.0/24
    nexthop
    metric - Metric
    FW750> add static-route

    Note the source option. Granted haven't tested it.

    Webui seems to support a source option as well.

    Have you tried any of those?

Similar Threads

  1. Check Point 1400 Appliance - FAQ
    By danjun in forum Check Point 1400 Appliances
    Replies: 21
    Last Post: 2018-08-29, 05:08
  2. 1400 Series
    By Gingerwerewolf in forum Check Point "2016" Appliances
    Replies: 3
    Last Post: 2017-07-28, 14:24
  3. Dual ISP IPSec tunnel Failover on 1100/1400
    By jerryroy1 in forum Check Point Series 80/1100 Appliances
    Replies: 5
    Last Post: 2016-12-08, 03:55
  4. Manage 1400 Appliances with R77.30
    By FloSchn in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 4
    Last Post: 2016-08-30, 12:57
  5. Check Point R75.20.26 for 600/1100 Appliances
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 0
    Last Post: 2013-10-03, 14:38

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •