Configuring Policy Based Routing in Gaia Clish

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

Important - In VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts., to configure Policy Based Routing on a Virtual System or a Virtual Router, first you must change the context to that Virtual Device with the "set virtual-system <VSID>" command.

To configure Policy Based Routing (PBR):

  1. Configure Action Tables - to configure static routes to destination networks.

  2. Configure Policy Rules - to configure the priority and the routing action for each set of matching criteria.

Syntax

set pbr table <Name of Table>

      off

      static-route {default | <Destination IPv4 Address/Mask>}

            nexthop

                  blackhole

                  gateway address <IPv4 Address>

                        monitored-ip <IPv4 Address> {off | on}

                        monitored-ip-option fail-all

                        monitored-ip-option fail-any

                        monitored-ip-option force-if-symmetry {off | on}

                        {off | on}

                        priority <1-8>

                  gateway logical <Name of Interface>

                        {off | on}

                        priority <1-8>

                  reject

            off

            ping {off | on}

Parameters

Parameter

Description

table <Name of Table>

Configures the name of the Policy Based Routing (PBR) Table.

From 1 to 64 alphanumeric characters.

The first character must be a letter.

table <Name of Table> off

Deletes the Policy Based Routing (PBR) table.

static-route {default | <Destination IPv4 Address/Mask>}

Configures a static route for the PBR table.

A PBR Policy Table contains a list of static routes and the next hop(s) for each route.

Multiple tables can be created, where each contains different static routes and next hops.

A PBR policy table can be associated with a PBR ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., so that network packets, which match the rule are routed per the static routes in the given table.

Note - When overlapping static routes exist (e.g. 192.168.0.0/16 and 192.168.1.0/24) in a PBR table, the most specific static route, which matches the destination is used to route traffic.

  • To make this route the default route, enter:

    ... static-route default

  • To make this a specific route, enter:

    ... static-route <Destination IPv4 Address/Mask>

static-route {...} off

Deletes this Policy Based Routing (PBR) static route from a PBR table.

static-route {...} ping {off | on}

Disables (off) or enables (on) the Ping monitoring of the specified IPv4 static route.

The Ping feature sends ICMP Echo Requests to verify that the next hop for a PBR static route is working.

Only next hop gateways, which are verified as reachable are included in the kernel forwarding table.

When this option is enabled, a route is added to the kernel forwarding table only after at least one next hop gateway is reachable.

For additional information, see IP Reachability Detection.

Range: off, or on

Default: off

nexthop blackhole

Configures the next hop for a static route to be a blackhole route.

A blackhole route drops packets without a notification to the sender.

nexthop reject

Configures the next hop for a static route to be a reject route.

A reject route drops packets and sends an ICMP Unreachable message to the sender.

nexthop gateway address <IPv4 Address>

Configures the IPv4 address of the next hop gateway.

monitored-ip <IPv4 Address> {off | on}

Removes (off) or adds (on) the IPv4 address, whose reachability Gaia needs to monitor.

After the "monitored-ip", you must press the Space key and the Tab key to see the available configured IPv4 addresses.

For more information, see IP Reachability Detection.

monitored-ip-option fail-all

Fails the next hop gateway when all monitored IP addresses become unreachable.

Restores the next hop gateway when any of the monitored IP addresses becomes reachable.

monitored-ip-option fail-any

Fails the next hop gateway when any of the monitored IP addresses becomes unreachable.

Restores the next hop gateway when all monitored IP addresses become reachable.

monitored-ip-option force-if-symmetry {off | on}

Ignores (off) or accepts (on) IP reachability reports from IP addresses with asymmetric traffic.

ICMP Echo packets must be sent and received on the same interface to be valid remote monitoring beacon.

Range: off, or on

Default: off

gateway address <IPv4 Address> {off | on}

Deletes (off) or adds (on) the next hop address from a static route in a Policy Based Routing (PBR) table.

priority <1-8>

Configures the priority of this next hop gateway for this static route in a PBR table.

Range: 1-8

Default: 1

nexthop gateway logical <Name of Interface>

Configures the name of the interface to use as the next hop gateway.

nexthop gateway logical <Name of Interface> {off | on}

Deletes (off) or adds (on) the next hop interface from a static route in a Policy Based Routing (PBR) table.

Note - You can add multiple routes to the same table. To do that, run the set pbr table command with the same table_name.

Example

Create an Action Table named PBRtable1, with a route to the network 192.0.2.0/24 out of the interface Ethernet 0 and a route to the network 192.0.3.0/24 through the next hop gateway with the IP address 192.168.1.1.

set pbr table PBRtable1 static-route 192.0.2.0/24 nexthop gateway logical eth0 on

set pbr table PBRtable1 static-route 192.0.3.0/24 nexthop gateway address 192.168.1.1 on

Syntax

set pbr rule priority <1-4294967295>

      action

            main-table

            prohibit

            table <Name of Table>

            unreachable

      match

            [from {<IPv4 Address/Mask Length> | off}]

            [to {<IPv4 Address/Mask Length> | off}

            [interface {<Name of Interface> | off}

            [port {<1-65535> | off}]

            [protocol {1 | 6 | 17 | tcp | udp | icmp | off}]

      off

Parameters

Parameter

Description

priority <1-4294967295>

Configures the priority of this rule in a PBR table.

Priority controls the order in which the rules are evaluated for a given network packet.

Evaluation stops at the first matching rule and only the actions for that rule are performed.

Priority 1 is the highest and is evaluated before priority 2, and so on.

Priorities 32766 and 32767 are reserved for the main static routing table.

Rules with priorities greater than 32767 are routed after the main routing table.

Best Practice - Do not use a number greater than 5000.

Range: 1-4294967295

Default: None

action {main-table | prohibit | table <Name of Table> | unreachable}

Configures the action to be performed on network traffic, which matches a Policy Based Routing (PBR) rule.

Available actions:

  • main-table - Uses the static and dynamic routes in the main routing table.
  • prohibit - Generates an ICMP response with message "Communication is administratively prohibited".
  • table <Name of Table> - Uses the static routes in the specified PBR table.
  • unreachable - Generates an ICMP response with message "Network is unreachable".

Important:

  • You can configure only one of these actions for a PBR rule.

  • You must configure the match condition for a PBR rule before you configure the action.

match ...

Configures the traffic matching criteria:

  • from {<IPv4 Address/Mask Length> | off}

    Configures the IPv4 address and the subnet mask of the source.

    Value "off" causes the rule to match any IPv4 address.

  • to {<IPv4 Address/Mask Length> | off}

    Configures the IPv4 address and the subnet mask of the destination.

    Value "off" causes the rule to match any IPv4 address.

  • interface {<Name of Interface> | off}

    Configures the name of the incoming interface.

    Value "off" causes the rule to match any interface.

  • port {<1-65535> | off}

    Configures the destination port number.

    You can configure only one port number for a PBR rule.

    Value "off" causes the rule to match any port number.

    For more information, see IANA Service Name and Port Number Registry.

  • protocol {1 | 6 | 17 | tcp | udp | icmp | off}

    Configures the protocol.

    Value "off" causes the rule to match any protocol type.

    To configure a specific protocol other than the above, use Gaia PortalClosed Web interface for the Check Point Gaia operating system..

    For more information, see IANA Protocol Numbers.

off

Delete the Policy Rule.

Example

Create a Policy Rule that forwards all packets with the destination address 192.0.2.1/32 that arrive on the interface Ethernet 2 according to the PBR Table PBRtable1, and assign to it the priority of 100.

set pbr rule priority 100 match to 192.0.2.1/32 interface eth2

set pbr rule priority 100 action table PBRtable1

The PBR Route Lookup option controls whether PBR rules intentionally cause same packets to traverse the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. more than once.

Requirements

  1. At least one Policy Rule must exist.

  2. SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. must be enabled (this is the default).

Syntax

set pbrroute sim flag {0 | 1}

Parameters

Parameter

Description

0

Disables the PBR Route Lookup.

1

Enables the PBR Route Lookup.