topic Re: BGP help in Firewall and Security Management

BGP help

Shawn_Fletcher — Sat, 04 Jul 2020 01:01:17 GMT

Hi there

First time BGP setup with checkpoint (r80.40)

I've got a new environment and trying to setup a Cisco VSS with multiple VRFs that terminate to 16000 checkpoint. So multiple internal BGP peers with same AS #, i have received the routes fine from each peer, but i want to share routes from Peer 1 with Peer 2 for my test setup before i reattempt in production. I was able to share the checkpoint connected networks, as well as static routes fine with combination of route redistribution / route map, but not the BGP routes from

Route redistribution allows to pick same FROM/TO AS# and add a filter, thought that might work but no luck.

How is the way to do this? I'm also stuggling on route distribution with WebUI vs route-map on CLI... when is the right scenario to use each?

Re: BGP help

firewall1-gx — Sat, 04 Jul 2020 02:40:05 GMT

Hi Shawn,

For your enviroment, since all peers are sharing the same AS, I believe you need to enable "as override" and "allowas-in" in your BGP configuration.

Please look the GAIA Advanced Routing to get the commands or to do through WEBUI.

https://dl3.checkpoint.com/paid/69/69d1c6899e768ea0687857ec55d723d9/CP_R80.40_Gaia_Advanced_Routing_AdminGuide.pdf?HashKey=1593837250_40fc31270106fe7984c3eddd3c5c934b&xtn=.pdf

Regards,

Re: BGP help

Shawn_Fletcher — Sat, 04 Jul 2020 03:48:39 GMT

Thanks for the suggestion - it looks like to do this i have to change to an "External" group type, instead of Internal. Will see if i can get that working.

Re: BGP help

Boris_Karnaukh — Tue, 08 Dec 2020 09:32:12 GMT

Hi Shawn,

If you wish to keep this purely iBGP setup, you may consider setting up a route refelector. "GAIA Advanced routing" briefly covers this subject.

Re: BGP help

John_Fleming — Tue, 08 Dec 2020 12:42:07 GMT

Keeping all things BGP this would be the correct BGP term. iBGP assumes all peers to be fully meshed.

Assume we have iBGP talkers A, B and C.

B will not tell A about C routes learned from C.

B will not tell C about A routes learned from A.

The reason for this is since iBGP is assumed to be full mesh then B assumes C and A have BGP sessions with each other. Route reflector is the correct term to overcome this.

Sounds pretty good right? BTW I have no idea how to configure that in Gaia so.. uh.. maybe what firewall1-gx said is how to do that? 😄

Re: BGP help

Shawn_Fletcher — Tue, 08 Dec 2020 16:22:17 GMT

thanks for the suggestions - I did try route reflector but had no luck with that but in fairness we didn't open a case with TAC for assistance as we got a lot of feedback that OSPF was the more common option and moved on to that.

Re: BGP help

John_Fleming — Tue, 08 Dec 2020 16:24:09 GMT

Make sure cluster members have the same router-id. Seems like a common configuration issue. Once its set you can only change it by removing the ospf config.

Re: BGP help

Maarten_Sjouw — Wed, 09 Dec 2020 00:04:08 GMT

That is one of the reasons to use cloning groups when using dynamic routing, so you don't configure things double and with mistakes.

Re: BGP help

Boris_Karnaukh — Wed, 09 Dec 2020 09:42:22 GMT

In GAIA it should be rather simple — if you want to make your CheckPoint a reflector:

set bgp internal peer ##.##.##.# peer-type reflector-client