Cisco Cisco Web Security Appliance S670 Troubleshooting Guide
How to configure transparent redirection using
Policy Based Routing (PBR) on a Check Point
firewall?
Policy Based Routing (PBR) on a Check Point
firewall?
Document ID: 118248
Contributed by Raam Muthusamy and Siddharth Rajpathak, Cisco TAC
Engineers.
Engineers.
Aug 12, 2014
Contents
Question:
Question:
How to configure transparent redirection using Policy Based Routing (PBR) on a Check Point firewall, which
does not support WCCP?
does not support WCCP?
Environment:
Cisco Web Security Appliance (WSA)
•
Check point firewall
•
WCCP
•
PBR (policy based routing)
•
Symptoms: Need to configure transparent redirection on Check Point firewall but it doesn't support WCCP
configuration.
configuration.
Note: This Knowledge Base article references software which is not maintained or supported by Cisco. The
information is provided as a courtesy for your convenience. For further assistance, please contact the software
vendor.
information is provided as a courtesy for your convenience. For further assistance, please contact the software
vendor.
The Check Point firewall does not support WCCP and hence, we cannot use it on Check Point to transparently
redirect traffic from users to the Cisco Web Security appliance (WSA)
redirect traffic from users to the Cisco Web Security appliance (WSA)
However, we can work around this limitation by forwarding the traffic to WSA via the "http_mapped"
service.
service.
The client traffic will need to be "sideways routed" into the appliance. This means that the WSA will
reside off of a different firewall interface than the clients are coming in from, such as in a DMZ
environment.
reside off of a different firewall interface than the clients are coming in from, such as in a DMZ
environment.
•
To redirect client traffic, follow the steps below:
Create a rule with the "http_mapped" service on the check point firewall.
1.