In This Section: |
In addition to dynamic and static routing, you can use Policy Based Routing (PBR) to control traffic. PBR Policy Rules have priority over static and dynamic routes in the routing table. When a packet arrives at a Gaia Security Gateway, the gateway goes through the PBR Rules in the order of their set priority, and looks for a match. If the match exists, the gateway forwards the packet according to the rule. If there is no match in the PBR Policy, the gateway forwards the packet according to static or dynamic routes in the routing table.
To configure Policy Based Routing:
You can configure Policy Based Routing in Check Point Gaia Portal or in CLI.
To add static routes in an Action Table:
The Add Policy Table with Static Route window opens.
Note - Table ID is assigned by the system.
Note - If selected, the Destination address and Subnet mask fields do not show.
Note - You can configure several next hops.
To delete an Action Table:
To add a Policy Rule:
To Delete a Policy Rule:
To create an Action Table:
Run this command:
set pbr table <
table_name> static-route {default | <
destination_ip/mask>} nexthop {{gateway {address <
nexthop_ip> | logical <
interface>} {priority <
route_priority_value> | on | off}} | reject | blackhole}
Parameter |
Description |
---|---|
|
Name of the PBR Policy Table. |
|
Route to -
|
|
Next hop -
|
|
Control the route -
|
|
Drop packets and send Unreachable messages to the sender |
|
Drop packets and do not send any notifications to the sender |
Note - You can add multiple routes to the same table. To do that, run set pbr table
command with the same table_name.
Example:
Create an Action Table named PBRtable1, with a route to the network 192.0.2.0/24 out of the interface Ethernet 0 and a route to the network 192.0.3.0/24 through the next-hop gateway with the IP address 192.168.1.1.
set pbr table PBRtable1 static-route 192.0.2.0/24 nexthop gateway logical eth0 on
set pbr table PBRtable1 static-route 192.0.3.0/24 nexthop gateway address 192.168.1.1 on
To configure a Policy Rule:
Run this command:
set pbr rule priority
<priority_value> {action {prohibit | table
<PBR_Table> | unreachable} | match {from
<soure_IP/mask>| interface
<interface>| port {
<port_num> | off} | protocol {
<num> | tcp | udp | icmp | off}| to
<destination_IP/mask>} | off}
Parameter |
Description |
---|---|
|
Unique integer value between 1 and 5000. The gateway checks all Policy Rules, one at a time, in order of priority. The highest priority is 1. |
|
If the packet matches the specified parameters, select a routing action:
|
|
Configure the traffic matching criteria:
|
|
Delete the Policy Rule. |
Example:
Create a Policy Rule that forwards all packets with the destination address 192.0.2.1/32 that arrive on the interface Ethernet 2 according to the PBR Table PBRtable1
, and assign to it the priority of 100.
set pbr rule priority 100 match to 192.0.2.1/32 interface eth2
set pbr rule priority 100 action table PBRtable1
To monitor Policy Based Routing - Gaia Portal
To monitor Policy Based Routing - Gaia Clish
Run these commands:
show pbr tables
show pbr rules
show pbr summary