https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117281#M16554 <P>That is the VPN equivalent of antispoofing. It generally happens when you are using a route-based VPN, but also have encryption domains set on the tunnel endpoints. Is the peer's encryption domain set to an empty group?</P> Thu, 29 Apr 2021 18:41:30 GMT Bob_Zimmerman 2021-04-29T18:41:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117268#M16547 <P>Hi Team,</P><P>&nbsp;</P><P>I have configured VTI tunnels with AWS and tunnels are up however we have setup BGP between peers and in log for port 179 it shows</P><P>According to the policy the packet should not have been decrypted</P><P>So do I need to set separate rule to allow TCP 179? Or is that allowed by default. Due to this my routing is not coming up.</P> Thu, 29 Apr 2021 16:56:02 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117268#M16547 Blason_R 2021-04-29T16:56:02Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117274#M16549 <P>I am pretty sure you would need to allow it, but one way to know 100% is to run this on cp firewall while testing:</P> <P>&nbsp;</P> <P>fw ctl zdebug + drop | grep 179</P> <P>&nbsp;</P> <P>That would tell you if anything is being dropped on the port on the kernel level.</P> Thu, 29 Apr 2021 17:51:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117274#M16549 the_rock 2021-04-29T17:51:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117281#M16554 <P>That is the VPN equivalent of antispoofing. It generally happens when you are using a route-based VPN, but also have encryption domains set on the tunnel endpoints. Is the peer's encryption domain set to an empty group?</P> Thu, 29 Apr 2021 18:41:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117281#M16554 Bob_Zimmerman 2021-04-29T18:41:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117389#M16587 <P>Yes we will have to allow it and I was using wrong peer name than configured in dashboard. Plus what I learned is - this rule should be above stealth rule.</P> Sat, 01 May 2021 05:25:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/How-to-allow-BGP-port-over-VTI/m-p/117389#M16587 Blason_R 2021-05-01T05:25:40Z