topic Re: BGP routing through R80.10 gateway and packet inspection in Firewall and Security Management

BGP routing through R80.10 gateway and packet inspection

athomson — Wed, 26 Feb 2020 16:13:51 GMT

We are currently looking to locate a VPN router within a DMZ and to establish a BGP session to an internal router that sits behind a Checkpoint R80.10 gateway. Other than inspecting the BGP session packets would the firewall also inspect the packets between the two hosts as shown in the diagram? For example, if host A was attempting to SSH to host B would the firewall block that connectivity unless a firewall rule was configured to allow it?

Re: BGP routing through R80.10 gateway and packet inspection

John_Fleming — Wed, 26 Feb 2020 19:23:21 GMT

Sure, traffic between host A and B would still have to cross the firewall. BGP isn't a tunnel its just a distributed route database application basically.

I think a problem you should keep in mind is the firewall will need to know what networks exist behind the VPN router and topology will need to be updated to reflect this.

In addition assuming the BGP peers on on different ASes you'll need to tweak the BGP conf with ebgp multi-hop and possibly next hop self. You'll need the multi hop because ebgp defaults to a IP TTL of 1. With ebgp multihop 2 it becomes 2 and you'll be able to reach the router that is one hop away.

Re: BGP routing through R80.10 gateway and packet inspection

athomson — Thu, 27 Feb 2020 15:39:14 GMT

Hi John,

thanks for your swift reply!

This is what I thought but wanted to make sure before implementing the solution.

I had also read about the impact on the ebgp multi-hop value.

Thanks for confirming.