5 Replies Latest reply on Jan 15, 2016 5:14 AM by seebvey

    NGFW Policy Based Routing

    seebvey

      Hi,

       

      does anybody know how to configure policy based Routing in NGFW?

       

      I have two Internet Connections from two different Provider.

      I want to route http/https traffice over ISP1 and every other traffic over ISP2.

       

      regards

      Sebastian

        • 1. Re: NGFW Policy Based Routing
          thyvarin

          Hi,

           

          For this setup, you should use netlink and outbound multi-link elements:

          http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.10.0/GUID-C40BD481-D419-4AC 5-805D-30812930D742.html

          http://help.stonesoft.com/onlinehelp/StoneGate/SMC/5.10.0/GUID-358C0888-C2F5-43C B-B385-6B28F13FA261.html

           

          To create setup like you described, create first netlink for both ISPs, and then create two multi-link elements:

          1. In the first multi-link add either only ISP1 netlink, or add both netlinks, and define ISP1 netlink as active, and ISP2 netlink as standby

          2. In the second multi-link add either only ISP2 netlink, or add both netlinks so that ISP2 netlink is active and ISP1 netlink is standby

           

          Then in NAT rules create two rules:

          1. Define first rule to match only HTTP and HTTPS traffic from internal to Internet, and on NAT cell use dynamic source NAT using the first multi-link element

          2. Define second rule to match any traffic from internal to Internet, and on select dynamic source NAT using the second multi-link element

           

          This way the HTTP and HTTPS traffic will match the first NAT rule, and get handled based on first multi-link element settings and thus ISP1 link will be used, and any other traffic will match second NAT rule and use ISP2 netlink based on second multi-link.

           

          BR,

          Tero

          • 2. Re: NGFW Policy Based Routing
            lnurmi

            Another option is to just create one multi-link and put both netlinks into it, then use QoS classes to define what traffic goes over what netlink primarily. Of course in this case if ISP1 netlink goes down then the HTTP/HTTPS traffic would be put into ISP2 netlink. If you don't want that, then Tero's solution should be used.

             

            BR,

            Lauri

            • 3. Re: NGFW Policy Based Routing
              seebvey

              Thank you both for your answers!

               

              When i want to use the QoS Classes, what QoS Policy do i have to configure for the interfaces?

              A Full QoS Policy?

              • 4. Re: NGFW Policy Based Routing
                lnurmi

                Hi,

                 

                QoS does not need to be enforced on the interfaces I believe, from the admin guide's multilink section:

                 

                "(Optional) Select the QoS Classes for traffic handled by this NetLink and click Add. You can use the QoS classes to assign the NetLink with or without activating the actual QoS features. For more information, see Getting Started with QoS  (page 820)."

                 

                -Lauri

                • 5. Re: NGFW Policy Based Routing
                  seebvey

                  Ok. Thank you.

                  My policy is working.

                   

                  I will test a little bit more on this, because SMC (during policy check and upload) says my QoS settings will be ignored when there is no QoS Policy on the interface.