https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155153#M26441 <P>DC does not need to know any routes except 10.10.30.0/24 and its all static routes configured which is default route. Currently the only requirement is routes should be learned from HO firewall and not vice-versa except 10.10.30.0/24.</P> Wed, 17 Aug 2022 16:08:20 GMT Blason_R 2022-08-17T16:08:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155100#M26439 <P>Hi Team,</P><P>&nbsp;</P><P>I have two firewalls being managed by same management server. These two firewalls are separated in two different office premises however I have a fiber running between those. I need to construct Internet redundancy between those for HO Firewall</P><P>I have two ISPs at DC hence if Internet link at HO goes down the default gateway for HO will be 10.10.20.20; else will have a static gateway configured.</P><P>I am planning to configure eBGP between HO and DC firewall; since static route has a AD distance 1 it will be picked up on HO firewall while eBGP AD is 20 it will be used as a backup.</P><P>I already achieved on other platform using BGP however I am not finding a way on Check Point. Can someone please help?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Indoco-Mgmt.jpg" style="width: 400px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/17441i586349FA83BC8C52/image-size/medium?v=v2&amp;px=400" role="button" title="Indoco-Mgmt.jpg" alt="Indoco-Mgmt.jpg" /></span></P><P> </P> Wed, 17 Aug 2022 02:24:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155100#M26439 Blason_R 2022-08-17T02:24:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155102#M26440 <P>Most likely you will need to configure BGP with route-maps ( sk94765 / sk100501 ) to allow the necessary routes in/out.</P> <P>How does the DC firewall learn about it's own default route, via BGP or other routing protocol(s)?</P> <P>&nbsp;</P> Wed, 17 Aug 2022 04:44:39 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155102#M26440 Chris_Atkinson 2022-08-17T04:44:39Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155153#M26441 <P>DC does not need to know any routes except 10.10.30.0/24 and its all static routes configured which is default route. Currently the only requirement is routes should be learned from HO firewall and not vice-versa except 10.10.30.0/24.</P> Wed, 17 Aug 2022 16:08:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155153#M26441 Blason_R 2022-08-17T16:08:20Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155191#M26442 <P>The below assumes the underlying BGP session is setup/established (basic example only).</P> <P>&nbsp;</P> <P>Network: 0.0.0.0/0</P> <P>DC (Advertise)</P> <P>Route Redistribution from Static to BGP(65001) matching default route.</P> <P>HO (Receive)</P> <P>Inbound route filter for BGP allowing routes from AS65000</P> <P><BR />Network: 10.10.30.0/24</P> <P>HO (Advertise)</P> <P>Route Redistribution from Interface/Static to BGP(65000)</P> <P>DC (Receive)</P> <P>Inbound route filter for BGP allowing routes from AS65001</P> Thu, 18 Aug 2022 07:02:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155191#M26442 Chris_Atkinson 2022-08-18T07:02:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155192#M26443 <P>OK - BGP Route learning; I really feel is pretty complicated in Check Point. Honestly this is much simpler in Cisco or Vyatta or even in zebra/quagga</P> Thu, 18 Aug 2022 06:44:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155192#M26443 Blason_R 2022-08-18T06:44:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155193#M26444 <P>Yes it's different, things are done with a security flavor rather than just accept all.</P> <P>One of the main shortcuts Cisco offers is the concept of "default-originate" in the peer config.</P> Thu, 18 Aug 2022 07:07:20 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Advertising-default-gateway-through-BGP/m-p/155193#M26444 Chris_Atkinson 2022-08-18T07:07:20Z