topic Re: BGP on Maestro - Tips? in Hyperscale Firewall (Maestro)

BGP on Maestro - Tips?

Timothy_Hall — Mon, 08 Aug 2022 15:49:28 GMT

I've set up BGP many times on standard Check Point gateways including clustered ones, but have a client that will be looking to configure it in a Maestro R81.10 environment that is single site with dual orchestrators and non-chassis gateways. Any special tips/limitations to watch out for? So far I have:

BGP confederations are not supported
BGP can't be used with VxLAN interfaces or GRE interfaces
BGP Graceful Restart will need to be enabled (and timers match with the BGP peer) to avoid a flap during a Maestro failover

Any other Maestro-specific tips for BGP? Paging @Kim_Moberg who has posted earlier about using BGP on Maestro.

Has anyone had to manually affine a dedicated core for routed due to it not getting enough CPU slices and causing a flap during security policy installation to the Security Group or other kinds of high CPU load events? Alas MDPS is not supported on Maestro...yet.

Re: BGP on Maestro - Tips?

the_rock — Mon, 08 Aug 2022 19:42:23 GMT

I think @Lari_Luoma can help with it, he is maestro guru.

Re: BGP on Maestro - Tips?

Lari_Luoma — Mon, 08 Aug 2022 20:54:57 GMT

BGP configuration in Maestro does not really differ from a regular gateway (except for the limitations you already found).
In Maestro one SGM is a dedicated DR manager. In the current software versions it's always the SMO. It takes care of peering and adjacencies. When you run "show bgp peers" for example, you should do it on the DR manager. Also routing logs are stored on that blade. Routes are naturally synchronized to all members.

MDPS will be supported in R81.20.