Policy Based Routing

In This Section:

In addition to dynamic and static routing, you can use Policy Based Routing (PBR) to control traffic. PBR Policy Rules have priority over static and dynamic routes in the routing table. When a packet arrives at a Gaia Security Gateway, the gateway goes through the PBR Rules in the order of their set priority, and looks for a match. If the match exists, the gateway forwards the packet according to the rule. If there is no match in the PBR Policy, the gateway forwards the packet according to static or dynamic routes in the routing table.

To configure Policy Based Routing:

Create Action Tables - Sets of static routes to destination networks.
Configure Policy Rules - For each set of matching criteria, define the priority and the routing action.

You can configure Policy Based Routing in Check Point Gaia Portal or in CLI.

Configuring Policy Based Routing - Gaia Portal

To add static routes in an Action Table:

In the Gaia Portal, go to Advanced Routing > Policy Based Routing.
In the Action Tables section, click Add.
The Add Policy Table with Static Route window opens.
Define the route parameters -
- Table Name - Name of the Policy Table
  Note - Table ID is assigned by the system.
- Default Route (optional) - Make this the default route
  Note - If selected, the Destination address and Subnet mask fields do not show.
- Destination - Destination IPv4 address
- Subnet mask - Destination IPv4 subnet mask
- Next Hop Type -
  - Normal - Accept and forward packets
  - Reject - Drop packets and send Unreachable message to the sender
  - Black Hole - Drop packets without a notification to the sender
Configure the next hop (if Normal is selected for the Next Hop Type) - click Add Gateway and select one of these:
- IP Address - Enter the Gateway Address and select a Priority
- Network Interfaces - Select a Gateway Interface and a Priority
Note - You can configure several next hops.
Click Save.

To delete an Action Table:

In the Action Tables section of the Policy Based Routing page, select a static route table.
Click Delete.

To add a Policy Rule:

In the Policy Rules section of the Policy Based Routing page, click Add.
The Add Policy Rule window opens.
Set the Priority of the rule - an integer between 1 and 5000.
Set the routing Action for the traffic that matches the specified criteria -
- Prohibit - Drop the packet and send a Prohibit message to the sender
- Unreachable - Drop the packet and send an Unreachable message to the sender
- Table - Forward the packet according to the routes in the selected Action Table
Configure one of more of the Match criteria -
- Interface - Interface on which the traffic arrived at the gateway
- Source - IPv4 address of the source
- Subnet mask - Subnet mask of the source address
- Destination - IPv4 address of the destination
- Subnet mask - Subnet mask of the destination address
- Service Port - Service port - enter a number between 1 and 65535, or select a predefined port from the drop-down menu
- Protocol - Protocol - enter a number between 1 and 255, or select a predefined protocol from the drop-down menu
Click Save.

To Delete a Policy Rule:

In the Policy Rules section of the Policy Based Routing page, select a rule.
Click Delete.

Configuring Policy Based Routing - Gaia Clish

To create an Action Table:

Run this command:

set pbr table <table_name> static-route {default | <destination_ip/mask>} nexthop {{gateway {address <nexthop_ip> | logical <interface>} {priority <route_priority_value> | on | off}} | reject | blackhole}

Parameter	Description
`table <`table_name`>`	Name of the PBR Policy Table.
`static-route {default \| <`destination_ip/mask`>}`	Route to - `default -` Default route `<`destination_ip/mask`> -` Destination IPv4 address and mask.
`gateway {address <`nexthop_ip`> \| logical <`interface`>}`	Next hop - `address <`nexthop_ip`>` - IPv4 address of the next hop gateway `logical <`interface`>` - Exit interface that leads to the next hop gateway
`priority <`route_priority_value`> \| on \| off`	Control the route - `priority <`route_priority_value`>` - Set priority of the route - a value from 1 to 8 `on` - Turn on the route `off` - Turn off the route
`reject`	Drop packets and send Unreachable messages to the sender
`blackhole`	Drop packets and do not send any notifications to the sender

Note - You can add multiple routes to the same table. To do that, run set pbr table command with the same table_name.

Example:

Create an Action Table named PBRtable1, with a route to the network 192.0.2.0/24 out of the interface Ethernet 0 and a route to the network 192.0.3.0/24 through the next-hop gateway with the IP address 192.168.1.1.

set pbr table PBRtable1 static-route 192.0.2.0/24 nexthop gateway logical eth0 on

set pbr table PBRtable1 static-route 192.0.3.0/24 nexthop gateway address 192.168.1.1 on

To configure a Policy Rule:

Run this command:

set pbr rule priority <priority_value> {action {prohibit | table <PBR_Table> | unreachable} | match {from <soure_IP/mask>| interface <interface>| port {<port_num> | off} | protocol {<num> | tcp | udp | icmp | off}| to <destination_IP/mask>} | off}

Parameter	Description
`priority` <priority_value>	Unique integer value between 1 and 5000. The gateway checks all Policy Rules, one at a time, in order of priority. The highest priority is 1.
`action {prohibit \| table` <PBR_Table> `\| unreachable}`	If the packet matches the specified parameters, select a routing action: `prohibit` - Drop the packet and send a Prohibit message to the sender `table` <PBR_Talbe> - Forward the packet according to the specified Action Table - <PBR_Table> `unreachable` - Drop the packet and send an Unreachable message to the sender
`match {from` <soure_IP/mask>`\| interface` <interface>`\| port {`<port_num> `\| off} \| protocol {`<num> `\| tcp \| udp \| icmp \| off}\| to` <destination_IP/mask>`}`	Configure the traffic matching criteria: `from` <soure_IP/mask> - IPv4 address and the subnet mask of the source `interface` <interface> - Incoming interface `port <service_port>` - Service port number, and integer between 1 and 65535 `protocol {`<num> \| `tcp \| udp \| icmp \| off}` - Protocol, an integer between 1 and 255, or one of predefined protocols - TCP, UDP, and ICMP `to` <destination_IP/mask> - Destination IPv4 address and the subnet mask
`off`	Delete the Policy Rule.

Example:

Create a Policy Rule that forwards all packets with the destination address 192.0.2.1/32 that arrive on the interface Ethernet 2 according to the PBR Table PBRtable1, and assign to it the priority of 100.

set pbr rule priority 100 match to 192.0.2.1/32 interface eth2

set pbr rule priority 100 action table PBRtable1

Monitoring Policy Based Routing

To monitor Policy Based Routing - Gaia Portal

Go to Advanced Routing > Policy Based Routing.
Click the Monitoring tab.

To monitor Policy Based Routing - Gaia Clish

Run these commands:

show pbr tables

show pbr rules

show pbr summary