Configuring Policy Based Routing in Gaia Portal

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

To configure Policy Based Routing (PBR):

  1. Configure Action Tables - to configure static routes to destination networks.

  2. Configure Policy Rules - to configure the priority and the routing action for each set of matching criteria.

  1. From the left navigation tree, click Advanced Routing > Policy Based Routing.

  2. In the Action Tables section, click Add.

  3. Configure the route parameters:

    • Table Name - Name of the Policy Table (From 1 to 64 alphanumeric characters. The first character must be a letter.).

    • Table ID - Assigned by the system.

    • Default Route - Optional. Controls whether to make this the default route.

      Note - If you select this option, the Destination and Subnet mask fields do not show.

    • Destination - Destination IPv4 address

    • Subnet mask - Destination IPv4 subnet mask

    • Next Hop Type -

      • Normal - Accepts and forwards packets

      • Reject - Drops packets and sends an ICMP Unreachable message to the sender

      • Black Hole - Drops packets without a notification to the sender

  4. Configure the next hop gateway (for Next Hop Type "Normal").

    1. Click Add Gateway and select IP Address.

    2. In the Gateway Address field, enter the IPv4 address of the next hop gateway.

    3. In the Priority field, enter the priority of this next hop gateway for this static route in a PBR table.

      Range: 1-8

      Default: 1

    4. In the Monitored IPs section, select IP addresses, whose reachability GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. needs to monitor.

      For more information, see IP Reachability Detection.

    5. The Force Interface Symmetry option controls whether to ignore IP reachability reports from IP addresses with asymmetric traffic. ICMP Echo packets must be sent and received on the same interface to be valid remote monitoring beacon.

      Range: Selected, or Cleared

      Default: Cleared

    6. In the Monitored IP Fail Condition field, select the applicable condition.

      • Fail All

        Fails the next hop gateway when all monitored IP addresses become unreachable.

        Restores the next hop gateway when any of the monitored IP addresses becomes reachable.

      • Fail Any

        Fails the next hop gateway when any of the monitored IP addresses becomes unreachable.

        Restores the next hop gateway when all monitored IP addresses become reachable.

      Range: Fail All, or Fail Any

      Default: Fail Any

    7. Click OK.

    1. Click Add Gateway and select Network Interfaces.

    2. In the Gateway Interface field, select the applicable interface.

    3. In the Priority field, enter the priority of this next hop gateway for this static route in a PBR table.

      Range: 1-8

      Default: 1

    4. Click OK.

    Notes:

    • You can configure several next hop gateways.

    • Multihop ping for PBR uses ICMP Echo Request to monitor reachability of an IP address multiple hops away. Multihop ping for PBR updates the status of an associated PBR nexthop in accordance to the reachability status. The PBR nexthop status becomes "down", if that IP address is unreachable.

  5. Click Save.

  1. From the left navigation tree, click Advanced Routing > Policy Based Routing.

  2. In the Action Tables section, select the table.

  3. Click Delete.

    Note - There is no prompt to confirm.

  1. From the left navigation tree, click Advanced Routing > Policy Based Routing.

  2. In the Policy Rules section, click Add.

  3. In the Priority field, enter the priority of this ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. in a PBR table.

    Priority controls the order in which the rules are evaluated for a given network packet.

    Evaluation stops at the first matching rule and only the actions for that rule are performed.

    Priority 1 is the highest and is evaluated before priority 2, and so on.

    Priorities 32766 and 32767 are reserved for the main static routing table.

    Rules with priorities greater than 32767 are routed after the main routing table.

    Best Practice - Do not use a number greater than 5000.

    Range: 1-4294967295

    Default: None

  4. In the Action section, select the action to apply to the traffic that matches the specified criteria:

    • Prohibit - Drop the packet and send a Prohibit message to the sender.

    • Unreachable - Drop the packet and send an Unreachable message to the sender.

    • Table - Forward the packet according to the routes in the selected Action Table with Static Route.

  5. In the Match section, configure the applicable criteria.

  6. Click Save.

  1. From the left navigation tree, click Advanced Routing > Policy Based Routing.

  2. In the Policy Rules section, select the rule.

  3. Click Delete.

    Note - There is no prompt to confirm.

  1. From the left navigation tree, click Advanced Routing > Policy Based Routing.

  2. In the Advanced Options section, the PBR Route Lookup option controls whether PBR rules intentionally cause same packets to traverse the Security Gateway more than once.

    Requirements:

    1. At least one Policy Rule must exist.

    2. SecureXLClosed Check Point product on a Security Gateway that accelerates IPv4 and IPv6 traffic that passes through a Security Gateway. must be enabled (this is the default).

  3. Click Apply.