Configuring Policy Based Routing in Gaia Portal
|
Important - In a Cluster |
To configure Policy Based Routing (PBR):
-
Configure Action Tables - to configure static routes to destination networks.
-
Configure Policy Rules - to configure the priority and the routing action for each set of matching criteria.

-
From the left navigation tree, click Advanced Routing > Policy Based Routing.
-
In the Action Tables section, click Add.
-
Configure the route parameters:
-
Table Name - Name of the Policy Table (From 1 to 64 alphanumeric characters. The first character must be a letter.).
-
Table ID - Assigned by the system.
-
Default Route - Optional. Controls whether to make this the default route.
Note - If you select this option, the Destination and Subnet mask fields do not show.
-
Destination - Destination IPv4 address
-
Subnet mask - Destination IPv4 subnet mask
-
Next Hop Type -
-
Normal - Accepts and forwards packets
-
Reject - Drops packets and sends an ICMP Unreachable message to the sender
-
Black Hole - Drops packets without a notification to the sender
-
-
-
Configure the next hop gateway (for Next Hop Type "Normal").
To configure an IP address as the next hop gateway
-
Click Add Gateway and select IP Address.
-
In the Gateway Address field, enter the IPv4 address of the next hop gateway.
-
In the Priority field, enter the priority of this next hop gateway for this static route in a PBR table.
Range: 1-8
Default: 1
-
In the Monitored IPs section, select IP addresses, whose reachability Gaia
Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. needs to monitor.
For more information, see IP Reachability Detection.
-
The Force Interface Symmetry option controls whether to ignore IP reachability reports from IP addresses with asymmetric traffic. ICMP Echo packets must be sent and received on the same interface to be valid remote monitoring beacon.
Range: Selected, or Cleared
Default: Cleared
-
In the Monitored IP Fail Condition field, select the applicable condition.
-
Fail All
Fails the next hop gateway when all monitored IP addresses become unreachable.
Restores the next hop gateway when any of the monitored IP addresses becomes reachable.
-
Fail Any
Fails the next hop gateway when any of the monitored IP addresses becomes unreachable.
Restores the next hop gateway when all monitored IP addresses become reachable.
Range: Fail All, or Fail Any
Default: Fail Any
-
-
Click OK.
To configure an interface as the next hop gateway
-
Click Add Gateway and select Network Interfaces.
-
In the Gateway Interface field, select the applicable interface.
-
In the Priority field, enter the priority of this next hop gateway for this static route in a PBR table.
Range: 1-8
Default: 1
-
Click OK.
Notes:
-
You can configure several next hop gateways.
-
Multihop ping for PBR uses ICMP Echo Request to monitor reachability of an IP address multiple hops away. Multihop ping for PBR updates the status of an associated PBR nexthop in accordance to the reachability status. The PBR nexthop status becomes "down", if that IP address is unreachable.
-
-
Click Save.

-
From the left navigation tree, click Advanced Routing > Policy Based Routing.
-
In the Action Tables section, select the table.
-
Click Delete.
Note - There is no prompt to confirm.

-
From the left navigation tree, click Advanced Routing > Policy Based Routing.
-
In the Policy Rules section, click Add.
-
In the Priority field, enter the priority of this rule
Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in a PBR table.
Description
Priority controls the order in which the rules are evaluated for a given network packet.
Evaluation stops at the first matching rule and only the actions for that rule are performed.
Priority 1 is the highest and is evaluated before priority 2, and so on.
Priorities 32766 and 32767 are reserved for the main static routing table.
Rules with priorities greater than 32767 are routed after the main routing table.
Best Practice - Do not use a number greater than 5000.
Range: 1-4294967295
Default: None
-
In the Action section, select the action to apply to the traffic that matches the specified criteria:
-
Prohibit - Drop the packet and send a Prohibit message to the sender.
-
Unreachable - Drop the packet and send an Unreachable message to the sender.
-
Table - Forward the packet according to the routes in the selected Action Table with Static Route.
-
-
In the Match section, configure the applicable criteria.
-
Interface - Select the interface, on which the traffic arrived at the Security Gateway
Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.
-
Source -Configure the IPv4 address of the source.
-
Subnet mask - Configure the IPv4 subnet mask of the source IPv4 address.
-
Destination - Configure the IPv4 address of the destination.
-
Subnet mask - Configure the IPv4 subnet mask of the destination IPv4 address
-
Service Port - Configure the service port. You can enter a number between 1 and 65535, or select a predefined port from the drop-down menu. For more information, see IANA Service Name and Port Number Registry.
-
Protocol - Configure the protocol. You can enter a number between 1 and 255, or select a predefined protocol from the drop-down menu. For more information, see IANA Protocol Numbers.
-
-
Click Save.

-
From the left navigation tree, click Advanced Routing > Policy Based Routing.
-
In the Policy Rules section, select the rule.
-
Click Delete.
Note - There is no prompt to confirm.

-
From the left navigation tree, click Advanced Routing > Policy Based Routing.
-
In the Advanced Options section, the PBR Route Lookup option controls whether PBR rules intentionally cause same packets to traverse the Security Gateway more than once.
Requirements:
-
At least one Policy Rule must exist.
-
SecureXL
Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. must be enabled (this is the default).
-
-
Click Apply.