How To Configure Policy Based Routing

Similar documents
How To Backup a SmartCenter

Security Gateway Virtual Appliance R75.40

DDoS Protection on the Security Gateway

Endpoint Security VPN for Windows 32-bit/64-bit

Endpoint Security VPN for Mac

Endpoint Security VPN for Mac

Remote Access Clients for Windows

Security Gateway R75. for Amazon VPC. Getting Started Guide

Multi-Domain Security Management

R75. Installation and Upgrade Guide

Clustering. Configuration Guide IPSO 6.2

Security Gateway for OpenStack

Gaia Syslog Messages. Technical Reference Guide. 25 February Classification: [Protected]

Configuring Security for FTP Traffic

Configuring Network Load Balancing with Cerberus FTP Server

SSL Network Extender R71. Release Notes

Firewall Defaults and Some Basic Rules

CORE Enterprise on a WAN

HP Device Manager 4.6

Lab Configuring Access Policies and DMZ Settings

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

Chapter 3 Security and Firewall Protection

Application Control and URL Filtering

Integration with CA Transaction Impact Monitor

CA Nimsoft Monitor. Probe Guide for Cloud Monitoring Gateway. cuegtw v1.0 series

Cisco Collaboration with Microsoft Interoperability

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Deploying ACLs to Manage Network Security

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

LOAD BALANCING 2X APPLICATIONSERVER XG SECURE CLIENT GATEWAYS THROUGH MICROSOFT NETWORK LOAD BALANCING

Endpoint Security Client

Cisco Configuring Commonly Used IP ACLs

Lab Configuring Access Policies and DMZ Settings

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Alteon Basic Firewall Load Balancing. Sample Configuration

Data Loss Prevention. R77 Versions. Administration Guide. 5 May Classification: [Protected]

FTP Server Configuration

CA Nimsoft Monitor. Probe Guide for Active Directory Response. ad_response v1.6 series

ASA/PIX: Load balancing between two ISP - options

IP Filter/Firewall Setup

F-Secure Messaging Security Gateway. Deployment Guide

Chapter 9 Monitoring System Performance

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

How To Load Balance On A Cisco Cisco Cs3.X With A Csono Css 3.X And Csonos 3.5.X (Cisco Css) On A Powerline With A Powerpack (C

Load Balance Mechanism

Service Managed Gateway TM. How to Configure a Firewall

Lab Configure Cisco IOS Firewall CBAC

HP OpenView Patch Manager Using Radia

Configuration Example

CORE 9 on a WAN. CORE on a Wide Area Network (WAN)

Networking Security IP packet security

Security and Access Control Lists (ACLs)

ASTi PC ver Windows 7 Installation Guide. Document: DOC-01-PCVW7-IG-1

How To Install Caarcserve Backup Patch Manager (Carcserver) On A Pc Or Mac Or Mac (Or Mac)

ERserver. iseries. Networking TCP/IP Setup

How do I configure multi-wan in Routing Table mode?

CA Nimsoft Monitor. Probe Guide for Internet Control Message Protocol Ping. icmp v1.1 series

Packet Filtering using the ADTRAN OS firewall has two fundamental parts:

CaseWare Time. CaseWare Cloud Integration Guide. For Time 2015 and CaseWare Cloud

Configuring Security for SMTP Traffic

Required Ports and Protocols. Communication Direction Protocol and Port Purpose Enterprise Controller Port 443, then Port Port 8005

Strategies to Protect Against Distributed Denial of Service (DD

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Change Manager 5.0 Installation Guide

VMware vcloud Air Networking Guide

Step by Step Bandwidth Management

CA Nimsoft Monitor Snap

Networking and High Availability

How to Open HTTP or HTTPS traffic to a webserver behind the NetVanta 2000 Series unit (Enhanced OS)

Configuration Guide. How to Configure SSL VPN Features in DSR Series. Overview

Blue Coat Security First Steps Transparent Proxy Deployments

Reporting and Incident Management for Firewalls

Barracuda Link Balancer Administrator s Guide

Creating a VPN with overlapping subnets

Using VDOMs to host two FortiOS instances on a single FortiGate unit

Web Application Firewall

Barracuda Link Balancer

EMC Data Domain Management Center

Multifunctional Broadband Router User Guide. Copyright Statement

Configuration Example

Application Description

JD Edwards EnterpriseOne Tools. 1 Understanding JD Edwards EnterpriseOne Business Intelligence Integration. 1.1 Oracle Business Intelligence

ProxySG TechBrief Implementing a Reverse Proxy

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

CA Spectrum Active Directory and Exchange Server Manager

CA Nimsoft Monitor. Probe Guide for DNS Response Monitoring. dns_response v1.6 series

SSL-VPN 200 Getting Started Guide

Chapter 5 Customizing Your Network Settings

Cloud ONTAP 8.3 for Amazon Web Services

ASTi Voisus Server Quick Start Guide Document: DOC-05-VS-QSG-1

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Release Notes and Getting Started Guide. IPSO 6.2 MR3 (Build GA055B01)

A Practical Look at Network Address Translation. A Nokia Horizon Manager White Paper

Accessing Remote Devices via the LAN-Cell 2

Chapter 11 Cloud Application Development

Transcription:

How To Configure Policy Based Routing 24 April 2012

2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses.

Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: http://supportcontent.checkpoint.com/documentation_download?id=12298 For additional technical information, visit the Check Point Support Center (http://supportcenter.checkpoint.com). Revision History Date Description 4/24/2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on How To Configure Policy Based Routing ).

Contents Important Information... 3 How to Configure Policy Based Routing (PBR)... 5 Objective... 5 How can Policy Based Routing (PBR) be useful in a network?... 5 Supported Versions... 5 Supported OS... 5 Supported Appliances... 5 Before You Start... 6 Related Documentation and Assumed Knowledge... 6 Impact on the Environment and Warnings... 6 Is PBR supported on VRRP & IPSO-Clustering?... 6 Configuration... 7 Configure the Policy Based Routing (PBR) Table... 7 Configure the Access Lists (ACL)... 9 Completing the Procedure... 12 Verifying... 12 Index... 13

How to Configure Policy Based Routing (PBR) How to Configure Policy Based Routing (PBR) Objective The objective of this document is to give you the ability to exert detailed control over the traffic forwarding mechanism of IPSO. This feature was introduced in IPSO 4.2 069 and later. Policy Based Routing (PBR) lets you create routing tables that enable IPSO to direct traffic to appropriate destinations by using an Access Control List (ACL) to filter the traffic based on one or more of the following: Source address Source mask length Destination address Destination mask length Source port Destination port Protocol type How can Policy Based Routing (PBR) be useful in a network? Based on the above description, PBR can be used to direct traffic based on where it is from (this may include single hosts to entire networks) to where it is going and it can even be granular enough to filter that traffic based on specific ports (services). This greatly improves the control that network administrators have in regards to the routing of traffic through a network. For example, a company may want all http traffic to use a certain route instead of using the default gateway or traffic from certain hosts or segments to take a route other than the default route. It should be noted that the Access Control List (ACL) which is implemented in PBR takes precedence over the standard IPSO routing. This means that the last rule in the ACL should always be an accept rule to allow any traffic not affected by PBR to pass through the standard IPSO routing. Supported Versions This is an OS dependent feature and is not impacted by the Firewall version. Supported OS IPSO 4.x IPSO 6.x Supported Appliances This document only relates to IP appliances. How To Configure Policy Based Routing 5

Before You Start Before You Start Related Documentation and Assumed Knowledge Review these SK articles and documents for reference information: sk44420 (http://supportcontent.checkpoint.com/solutions?id=sk44420) sk38637 (http://supportcontent.checkpoint.com/solutions?id=sk38637) sk44399 (http://supportcontent.checkpoint.com/solutions?id=sk44399) sk39204 (http://supportcontent.checkpoint.com/solutions?id=sk39204) sk44520 (http://supportcontent.checkpoint.com/solutions?id=sk44520) Voyager Reference Guide Impact on the Environment and Warnings Policy Based Routing (PBR) can be configured via Voyager as well as via the CLI. The configuration process contains two parts: Configuring the PBR Table Configuring the ACL Is PBR supported on VRRP & IPSO-Clustering? PBR is supported on both VRRP & IPSO-Clustering. However, the configuration of the PBR Table and the ACLs vary slightly in different configurations: To use PBR in a VRRP configuration, you must configure PBR and the ACL on the master and backup nodes. With IP clustering, you can use Cluster Voyager to configure PBR (so that you configure it only once), but you must configure an ACL on the individual nodes. If you use PBR with IP clustering in forwarding mode, apply the PBR ACL on the cluster protocol network interfaces. How To Configure Policy Based Routing 6

Configuration Configuration Before you configure PBR, make sure that the Firewall has been configured and is working. Configure the Policy Based Routing (PBR) Table 1. Open Voyager > Configurations > Traffic Management > Policy Based Routing. 2. Enter a name for the Policy Based Routing (PBR) table (for example, ISP1). 3. Click Apply/Save. 4. Enable the Default Gateway option by clicking the on option. How To Configure Policy Based Routing 7

Configuration 5. Click Apply/Save. 6. From the Gateway Type list, select address. 7. Click Apply/Save. 8. Enter the Gateway Address. How To Configure Policy Based Routing 8

Configuration 9. Click Apply/Save. It is important to note at this point that the Gateway Address entered in Step 8 is the address of the upstream router for ISP1. Configure the Access Lists (ACL) 1. Open Voyager > Configurations > Traffic Management > Access List. 2. Enter a name for the Access List (ACL) (for example, pbr_acl). 3. Click Apply/Save. 4. By default the Bypass option should be set to No. This is the option that must be set to for the Access List to be utilized. How To Configure Policy Based Routing 9

Configuration 5. Click on the name of the Access List to edit it. 6. Select the Add Rule Before check box. How To Configure Policy Based Routing 10

Configuration 7. Click Apply/Save. 8. Select PBR from the list in the Action column. 9. Click Apply/Save. How To Configure Policy Based Routing 11

Completing the Procedure 10. Select ISP1 from the list in the Policy Based Routing Table column. 11. Enter the source IP address in the Src IP Addr field and the source mask length in the Src Mask Len field. 12. Click Apply/Save. Completing the Procedure For a company's requirements, you may need to split the internal network into two parts. Make sure that you enter the mask length in Step 11 accordingly. Also note that the system takes the path of the least restrictive matching ACL rule. Therefore, to make sure that all FTP traffic is routed through ISP1, place the FTP rule above the other rules. Make sure that you use the appropriate destination port (FTP). Exclude this port from the port ranges of the other rules. Use this syntax: 0-21, 22-65535. After you configure ISP1, configure similar ACLs for ISP2 and FTP. It is imperative that the last rule in the ACL be an Accept rule that allows any traffic not affected by the ACL or PBR to be handed over to the standard IPSO routing process. The last step in this procedure is to apply this ACL to an interface. From the Add Interface drop down menu, select an interface (for example, select the internal interface for which all traffic that enters this interface will be applied to PBR). Select Input from the Direction list after you select the internal interface. Once you complete the configuration, you can test it. Verifying Send traffic from different source IPs and run tcpdump to make sure it is working correctly. How To Configure Policy Based Routing 12

Index B Before You Start 6 C Completing the Procedure 12 Configuration 7 H How to Configure Policy Based Routing (PBR) 5 I Impact on the Environment and Warnings 6 Important Information 3 O Objective 5 R Related Documentation and Assumed Knowledge 6 S Supported Appliances 5 Supported OS 5 Supported Versions 5 V Verifying 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information