topic Re: Proper protocol to advertise a netblock to a BGP peer in Firewall and Security Management

Proper protocol to advertise a netblock to a BGP peer

JoeBandura — Wed, 27 Nov 2024 17:18:41 GMT

I have a cluster running R81.10 and the latest HFA. It has 2 external interfaces that terminate to two different POPs at the same service provider for some internet redundancy. This service provider has given us a /27 block that we use to NAT various applications. I am currently in the process of configuring BGP so that we can get just default gateways and advertise the /27 for redundancy.

As it sits right now, I have one of the external connections configured with BGP and am currently peering with our service provider. I have an import routemap configured to change the local pref of the default gateway we receive to ensure it's preferred over the other I expect to get once it's set up. I also have an export routemap set up to advertise the /27 to the peer using protocol static. And this is where my issue is.

Most of the examples I have seen advertising a netblock to a peer show using protocol static. But, this requires a static route in the routing table for the netblock to be advertised, otherwise it won't work. However, this just doesn't "feel" right. I have looked over the documentation and other examples and it seems like "NAT Pools" is what I need, but I only see a way to use those in the Gaia WebUI. Unfortunately, this doesn't work for me since I need to advertise to two different peers in the same AS, so that means only routemaps work, and I see no way of using "NAT Pools" in routemaps. I have also tested using protocol direct in my routemap, but that doesn't work either.

What am I missing here? Am I doing this right and I'm just forced to keep the /27 in the static routing table for advertisement?

Here is an example of the routemap I am using and how I am applying it to the peer:

set routemap mymap id 10 on set routemap mymap id 10 allow set routemap mymap id 10 match network 1.1.1.1/27 all set routemap mymap id 10 match protocol static set bgp external remote-as 1234 peer 2.2.2.2 export-routemap mymap preference 1 on

Any help is appreciated. Thank you.

Re: Proper protocol to advertise a netblock to a BGP peer

Chris_Atkinson — Wed, 27 Nov 2024 14:08:55 GMT

NAT pools should also be available via CLISH per:

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_Gaia_Advanced_Routing_AdminGuide/Content/Topics-GARG/NAT-Pools-Configuring-in-Gaia-Clish.htm?Highlight=Nat%20pool

This discussion may also be helpful for your future endeavors:

https://community.checkpoint.com/t5/Security-Gateways/AS-Path-prepending-to-two-different-peers-in-the-same-AS/td-p/132851

Re: Proper protocol to advertise a netblock to a BGP peer

JoeBandura — Wed, 27 Nov 2024 14:10:12 GMT

This documentation shows how to configure NAT Pools via clish, but not how to use them in a routemap. Do you have documentation or an example of that somewhere?

Thank you.

Re: Proper protocol to advertise a netblock to a BGP peer

Chris_Atkinson — Thu, 28 Nov 2024 00:56:27 GMT

The NAT pools documentation otherwise indicates you can also use route redistribution statements as an alternative which would potentially negate the need for the match protocol portion of your route-map.

Generally routemaps assigned to a protocol for import or export override corresponding filters and route redistribution rules.

I'm not currently in a position to test their use simultaneously with respect to this scenario.

Re: Proper protocol to advertise a netblock to a BGP peer

Chris_Atkinson — Thu, 28 Nov 2024 00:57:46 GMT

You should have nat-pools as a protocol match criteria option for use in your route-map e.g.

Re: Proper protocol to advertise a netblock to a BGP peer

JoeBandura — Thu, 28 Nov 2024 02:26:43 GMT

That's it. Exactly what I needed. The documentation doesn't show it, but pressing tab a few times in the clish clearly does.

Configured, tested and working.

Thank you!!!