This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Sandgirl
Contributor
‎2023-03-08 05:44 AM
Jump to solution

BGP advice

Hi guys, 

 

Let me start with saying I have very little experience with Checkpoints - only few weeks, so please bear that in mind 🙂 

 

I'm trying to establish a BGP connectivity between our two Checkpoints in Azure (CloudGuard) and the Azure Route Server (ARS). 

I have two setups: 

One is the Checkpoint Server Manager and ARS. 

The other one is Checkpoint Firewall and ARS. 

 

In the first instance, I can see on Checkpoint (CLI) that there is a two way communication: SYN, SYN ACK, ACK (but also F, P and R). But the neighbourhood is not estaliblished - the peers show on Checkpoint SM as either 'active' or 'idle'. 

 

With the second setup, I can only see traffic (in CLI) coming from ARS. Checkpoint does not respond at all. I have set up ASN in the GUI and peers, but there is absolutely no response. Is there any other setting somewhere I need to enable/setup? 


Finally, the above setups are just in my lab. When we deploy the solution, the Checkpoints will be behind Azure Load Balancer. Is this supported? I have read somewhere on here that it might not be? 

 

Any help would be greatly appreciated!

0 Kudos
34 Replies
Sandgirl
Contributor
‎2023-11-16 05:56 AM
In response to Luke_2023
Jump to solution

Hi Luke,

 

azcpgw1> show configuration bgp
set bgp external remote-as xxxxx on
set bgp external remote-as xxxxxpeer y.y.y.y on
set bgp external remote-as xxxxx peer y.y.y.y multihop on
set bgp external remote-as xxxxxpeer y.y.y.y on
set bgp external remote-as xxxxx peer y.y.y.y multihop on

 

When adding BGP peer, make sure that you tick the 'eBGP multihop' in the 'Next Hop Time to Live' (I found this in the documentation on setting up BGP with VPN gateway). 

 

Regards,
Sandgirl

0 Kudos
Sandgirl
Contributor
‎2023-03-13 03:55 AM
In response to the_rock
Jump to solution

When I've done the capture not limiting port to 179, I got another capture. 

I've uploaded the second capture. 

Preview file
7 KB
0 Kudos
Blason_R
Leader
Leader
‎2023-03-08 07:08 PM
In response to Sandgirl
Jump to solution

That means - You need to open the port TCP/179 destined to your firewall. You need to add explicit rule for the same above stealth if you have so. Since activating BGP does not add any implicit rule ensure you add the explicit rule as I said above.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
_Val_
Admin
Admin
‎2023-03-09 12:20 AM
In response to Sandgirl
Jump to solution

DEFAULT POLICY is the name of the policy package applied on your security gateway. It this specific case, it is out-of-the-box policy, which means you did not apply any policy to SG.

The default policy only allows internal communication with the other parts of your security system, and nothing else.

Please make sure you initiated SIC between your gateway and management server, and installed a new policy allowing essential communications and BGP to your gateway. 

Sandgirl
Contributor
‎2023-03-13 04:29 AM
In response to _Val_
Jump to solution

Thanks! That helped a lot! Although I'm still not able to establish BGP session between peers 😞 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events