topic Questions about redistribute routes to remote AS with BGP in Cloud Firewall

Questions about redistribute routes to remote AS with BGP

israelsc — Tue, 17 Dec 2024 01:19:20 GMT

Hello everyone,
I created this post to ask for your help with some doubts I have for BGP and how to redistribute routes to a remote AS.

I have a scenario on GNS3 server:

Check Point Firewall R81.20 JHF 89 (represented as “Cloud” node)
-eth0 192.168.5.130
-eth1 10.1.0.130
-eth2 192.168.70.130
[Autonomous System 1]

Router 1 (c3600):
-fa0/0 192.168.5.131
-fa0/1 10.50.50.1
-loopback 1.1.1.1.1
[Autonomous system 10]

Router 2 (c3600):
-fa0/0 10.50.50.2
-loopback 2.2.2.2.2
[Autonomous system 20]

R1 and R2 advertise and redistribute their directly connected networks (10.50.50.0/24 and their loopback).
This is what Check Point receives through BGP.

This is the R1 routing table:

This is the R2 routing table:

This is the FW routing table:

However, the question is:
*How do I advertise and redistribute the networks that Check Point knows throught static routes or the networks that Check Point has directly connected to router 1 and router 2?
*Is it a routemap that is needed?

We have been reviewing the documentation but it does not explain in a clear way, how to make Check Point advertise and redistribute networks to the BGP remote AS:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/Topics-GARG/BGP-Redistributing-Routes.htm

https://support.checkpoint.com/results/sk/sk100501

This is the BGP configuration we currently have for check point:
> set as 1
> set bgp external remote-as 10 on
> set bgp external remote-as 10 peer 192.168.5.131 on
> set bgp external remote-as 10 peer 192.168.5.131 accept-routes all

We want to know how to do this before the next step: replicate the lab configuration in the customer environment.

In the customer environment
They have an azure HA cluster on the same version R81.20 JHF 89, and have BGP peer with some Cisco Routers on Azure.

For this environment we have another question:
*How do we advertise and redistribute the office mode VPN c2s network on the Check Point HA cluster in Azure for the BGP?

I hope I have explained myself with these details and if not, I will be glad to complement the information.

Greetings to all!

Re: Questions about redistribute routes to remote AS with BGP

Chris_Atkinson — Tue, 17 Dec 2024 03:13:46 GMT

Route-maps with the appropriate match protocol statement and other relevant criteria will be needed.

Configure NAT pools to address the office mode bit which can also be used in the route-map matching logic e.g.

Re: Questions about redistribute routes to remote AS with BGP

JozkoMrkvicka — Tue, 17 Dec 2024 06:15:14 GMT

Yes, routemaps are best to use in this case.

set nat-pool <office mode VPN c2s network/netmask> on

set routemap DirectStaticNATPool id 100 on

set routemap DirectStaticNATPool id 100 allow

set routemap DirectStaticNATPool id 100 match protocol direct

set routemap DirectStaticNATPool id 200 on

set routemap DirectStaticNATPool id 200 allow

set routemap DirectStaticNATPool id 200 match protocol static

set routemap DirectStaticNATPool id 300 on

set routemap DirectStaticNATPool id 300 allow

set routemap DirectStaticNATPool id 300 match protocol nat-pool

set bgp external remote-as 10 export-routemap DirectStaticNATPool preference 1 on

Re: Questions about redistribute routes to remote AS with BGP

israelsc — Tue, 17 Dec 2024 16:22:16 GMT

Excellent, this worked for us!
thanks for your help

We configure the network 10.0.0.0.0/20 as the office mode network for the nat-pool, create the routemap to export static, direct and nat-pool routes and use the routemap to export those routes to the BGP:

set nat-pool 10.0.0.0/20 on

set routemap RM_exp_rts id 100 on
set routemap RM_exp_rts id 100 allow
set routemap RM_exp_rts id 100 match protocol direct

set routemap RM_exp_rts id 200 on
set routemap RM_exp_rts id 200 allow
set routemap RM_exp_rts id 200 match protocol static

set routemap RM_exp_rts id 300 on
set routemap RM_exp_rts id 300 allow
set routemap RM_exp_rts id 300 match protocol nat-pool

set bgp external remote-as 10 export-routemap RM_exp_rts preference 1 on

With this configuration in the firewall, we see that these routes are already being advertised and injected to the Route Table of R1 and R2:

This is fine, it is what we expect.

However, we see that the firewall advertises all its static routes, including the firewall default route:

How do we prevent this firewall default route from being advertised to the BGP?
Is it possible to make an exclusion for this static route?

Greetings!

Re: Questions about redistribute routes to remote AS with BGP

JozkoMrkvicka — Wed, 18 Dec 2024 13:04:39 GMT

set routemap RM_exp_rts id 200 match nexthop <IP_of_nexthop> on

This will cause only static routes pointing to <IP_of_nexthop> will be advertised.

It is not ideal solution since once new route with different nexthop is added, you need to add new routemap statement.

Better way is to restrict specific routes from propagation (0.0.0.0/0). You will need to create routemap with ID lower than 200 with action restrict:

set routemap RM_exp_rts id 199 on

set routemap RM_exp_rts id 199 restrict

set routemap RM_exp_rts id 199 match network 0.0.0.0/0 exact all

set routemap RM_exp_rts id 199 match protocol static

Re: Questions about redistribute routes to remote AS with BGP

israelsc — Wed, 18 Dec 2024 15:31:55 GMT

Hello @JozkoMrkvicka
Great! it helped me to restrict 0.0.0.0.0
Just a correction in the command:

-instead:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact all

-place:
set routemap RM_exp_rts id 199 match network 0.0.0.0.0/0 exact

After this, notice immediately on R1 and R2, that the default route 0.0.0.0.0 is no longer propagated to BGP on the other routers.

Thank you for your help!