Policy Based Routing

In This Section: Configuring Policy Based Routing - Gaia Portal Configuring Policy Based Routing - Gaia Clish Monitoring Policy Based Routing

In addition to dynamic and static routing, you can use Policy Based Routing (PBR) to control traffic. PBR Policy Rules have priority over static and dynamic routes in the routing table. When a packet arrives at a Gaia Security Gateway, the gateway goes through the PBR Rules in the order of their set priority, and looks for a match. If the match exists, the gateway forwards the packet according to the rule. If there is no match in the PBR Policy, the gateway forwards the packet according to static or dynamic routes in the routing table.

To configure Policy Based Routing:

1. Create Action Tables - Sets of static routes to destination networks.
2. Configure Policy Rules - For each set of matching criteria, define the priority and the routing action.

You can configure Policy Based Routing in Check Point Gaia Portal or in CLI.

Configuring Policy Based Routing - Gaia Portal

To add static routes in an Action Table:

1. In the Gaia Portal, go to Advanced Routing > Policy Based Routing.
2. In the Action Tables section, click Add.

   The Add Policy Table with Static Route window opens.

3. Define the route parameters:
   • Table Name - Name of the Policy Table

     Note - Table ID is assigned by the system.

   • Default Route (optional) - Make this the default route

     Note - If selected, the Destination address and Subnet mask fields do not show.

   • Destination - Destination IPv4 address
   • Subnet mask - Destination IPv4 subnet mask
   • Next Hop Type -
     • Normal - Accept and forward packets
     • Reject - Drop packets and send Unreachable message to the sender
     • Black Hole - Drop packets without a notification to the sender
4. Configure the next hop (if Normal is selected for the Next Hop Type) - click Add Gateway and select one of these:
   • IP Address -
     • Enter the Gateway Address
     • Select a Priority
     • Add Monitored IP addresses
   • Network Interfaces -
     • Enter the Gateway Address
     • Select a Priority
     • Add Monitored IP addresses

   Notes:

   • You can configure several next hops.
   • Multihop ping for PBR uses ICMP Echo Request to monitor reachability of an IP address multiple hops away. Multihop ping for PBR updates the status of an associated PBR nexthop in accordance to the reachability status. The PBR nexthop status becomes "down", if that IP address is unreachable.
5. Click Save.

To delete an Action Table:

1. In the Action Tables section of the Policy Based Routing page, select a static route table.
2. Click Delete.

To add a Policy Rule:

1. In the Policy Rules section of the Policy Based Routing page, click Add.
2. The Add Policy Rule window opens.
3. Set the Priority of the rule - an integer between 1 and 32765.
4. Set the routing Action for the traffic that matches the specified criteria -
   • Prohibit - Drop the packet and send a Prohibit message to the sender
   • Unreachable - Drop the packet and send an Unreachable message to the sender
   • Table - Forward the packet according to the routes in the selected Action Table
5. Configure one of more of the Match criteria -
   • Interface - Interface on which the traffic arrived at the gateway
   • Source - IPv4 address of the source
   • Subnet mask - Subnet mask of the source address
   • Destination - IPv4 address of the destination
   • Subnet mask - Subnet mask of the destination address
   • Service Port - Service port - enter a number between 1 and 65535, or select a predefined port from the drop-down menu
   • Protocol - Protocol - enter a number between 1 and 255, or select a predefined protocol from the drop-down menu
6. Click Save.

To Delete a Policy Rule:

1. In the Policy Rules section of the Policy Based Routing page, select a rule.
2. Click Delete.

Action Table Parameters

Parameter	Description
Table Name	The name of the table.
Table ID	A numerical ID for the table. Assigned by the system.
Default route	The default static route in the system routing table.
Destination	The destination of the route.
Subnet mask	Subnet mask for the destination of the route.
Next Hop Type	Choose one of: Normal: Accept and forward packets. Reject: Drop packets and send unreachable messages. Black Hole: Drop packets but don't send unreachable messages.
Gateway IP address	Next hop gateway IPv4 address.
Gateway Interface	Security Gateway interface that leads to the next hop gateway.
Gateway Priority	The preference of the particular route. Range: 1-8

Policy Rule Parameters

Parameter	Description
Priority	You can define many Policy Rules. Traffic is matched to all the rules, one rule at a time, according to the priority that is configured for the rule.
Action	The action to take if the traffic is matched
Prohibit	Send a Prohibit message to the sending host.
Unreachable	Send an Unreachable message to the sending host.
Table	Do the actions defined in an Action Table.
Match
Interface	Match by: Interface through which the packets enter the Security Gateway from the source host.
Source, subnet mask	Match by: Source IPv4 address and subnet mask.
Destination, Subnet mask	Match by: Destination IPv4 address and subnet mask.

Configuring Policy Based Routing - Gaia Clish

To create an Action Table:

Run this command:

set pbr table <table_name> static-route {default | <destination_ip/mask>} nexthop

gateway

address <nexthop_ip>

{on | off}

monitored-ip <monitored_ip> {on | off}

monitored-ip-option {fail-all | fail-any | force-if-symmetry {on | off}}

priority <route_priority_value>

logical <interface_name>

{on | off}

priority <route_priority_value>

reject

blackhole

Parameter	Description
table <table_name>	Name of the PBR Policy Table.
static-route {default | <destination_ip/mask>}	Route to - default - Default route <destination_ip/mask> - Destination IPv4 address and mask.
gateway {address <nexthop_ip> | logical <interface_name>}	Type of the next hop: address <nexthop_ip> - IPv4 address of the next hop gateway logical <interface_name> - Egress interface that leads to the next hop gateway
monitored-ip <monitored_ip> {on | off}	Remote IPv4 address to monitor for the next hop gateway. Set a gateway to monitor IP address(es) configured with the ip-reachability-detection. The gateway becomes usable with respect to reachability of IP address(es) reported from the ip-reachability-detection.
monitored-ip-option {fail-all | fail-any | force-if-symmetry {on | off}}	Set failure condition and flavor for the configured monitored IP address(es). fail-all Fails the next hop gateway when all monitored IP addresses become unreachable. Restores the next hop gateway when one of the monitored IP addresses becomes reachable. Default: off fail-any Fails the next hop gateway when one of the monitored IP addresses becomes unreachable. Restores the next hop gateway when all monitored IP addresses become reachable. Default: on force-if-symmetry Ignores IP reachability reports from IP addresses with asymmetric traffic. Default: off
priority <route_priority_value>	Set priority of the route - a value from 1 to 8
reject	Drop packets and send Unreachable messages to the sender
blackhole	Drop packets and do not send any notifications to the sender
{on | off}	Turn on and off the setting: on - Turn on off - Turn off

Note - You can add multiple routes to the same table. To do that, run set pbr table command with the same table_name.

Example:

Create an Action Table named PBRtable1, with a route to the network 192.0.2.0/24 out of the interface Ethernet 0 and a route to the network 192.0.3.0/24 through the next-hop gateway with the IP address 192.168.1.1.

set pbr table PBRtable1 static-route 192.0.2.0/24 nexthop gateway logical eth0 on

set pbr table PBRtable1 static-route 192.0.3.0/24 nexthop gateway address 192.168.1.1 on

To configure a Policy Rule:

Run this command:

set pbr rule priority <priority_value>

action {prohibit | table <PBR_Table> | unreachable}

match

from <source_IP/mask>

interface <interface_name>

port {<port_number> | off}

protocol {<protocol_number> | tcp | udp | icmp | off}

to <destination_IP/mask>

off

Parameter	Description
priority <priority_value>	Unique integer value between 1 and 5000. The gateway checks all Policy Rules, one at a time, in order of priority. The highest priority is 1.
action {prohibit | table <PBR_Table> | unreachable}	If the packet matches the specified parameters, select a routing action: prohibit - Drop the packet and send a Prohibit message to the sender table <PBR_Talbe> - Forward the packet according to the specified Action Table - <PBR_Table> unreachable - Drop the packet and send an Unreachable message to the sender
match {from <source_IP/mask> | interface <interface_name> | port {<port_number> | off} | protocol {<protocol_number> | tcp | udp | icmp | off} | to <destination_IP/mask>}	Configure the traffic matching criteria: from <source_IP/mask> - IPv4 address and the subnet mask of the source interface <interface_name> - Incoming interface port <port_number> - Service port number, and integer between 1 and 65535 protocol {<protocol_number> | tcp | udp | icmp | off} - Protocol, an integer between 1 and 255, or one of predefined protocols - TCP, UDP, and ICMP to <destination_IP/mask> - Destination IPv4 address and the subnet mask
off	Delete the Policy Rule.

Example:

Create a Policy Rule that forwards all packets with the destination address 192.0.2.1/32 that arrive on the interface Ethernet 2 according to the PBR Table PBRtable1, and assign to it the priority of 100.

set pbr rule priority 100 match to 192.0.2.1/32 interface eth2

set pbr rule priority 100 action table PBRtable1

Monitoring Policy Based Routing

To monitor Policy Based Routing - Gaia Portal

1. Go to Advanced Routing > Policy Based Routing.
2. Click the Monitoring tab.

To monitor Policy Based Routing - Gaia Clish

Run these commands:

show pbr tables

show pbr rules

show pbr summary