Thank you so much Andy!

So I run the 
fw ctl zdebug drop 

and I'm getting the following message: 

fw_log_drop_ex: Packet proto =6 x.x.x.x:y -> z.z.z.z:179 dropped by fw_send_log_drop Reason: Rulebase drop - DEFAULT POLICY

Where would I find this policy so I can override it?

Sorry for the late reply, not sure how I missed the email notification, apologies. So to verify right policy, can you run fw stat command on the CP fw? If default policy or default filter is on, that would block everything.

Thank you so much everyone! 

After a lot of looking around, I have managed to unblock TCP 179 (as well as SSH and ICMP) after implementing the required rules and also turning off address  spoofing. 

I can now see the traffic being accepted by the firewall, and I can see SYN, ACK, Push, Finish and Reset. Tcpdump capture shows a flow - but only in one direction, from the ARS to the checkpoint, again I can see SYN, ACK, BGP Open... but then, I can see BGP Notification (which looks like the timeout waiting for the response) and FIN retransmission of FIN and Reset. 

So the traffic seems to be getting there, but Checkpoint is still not willing to establish the BGP connection. 

As mentioned before, I am trying to set it up with ARS, which only asks for IP and ASN. 

Am I missing some setting on the Checkpoint that I need to enable to get it to work? 

K, so something is not matching with the other side for sure. What do they see on Cisco side?

Can you send us output of below commands from clish? Please blur out any sensitive info.

Andy

From expert mode, just type clich and then run following commands (one by one)

show bgp errors

show bgp groups

show bgp memory

show bgp paths

show bgp peer

show bgp peers

show bgp routemap

show bgp stats

show bgp summary

Unfortunately I'm not using Cisco at the other end, it's ARS - Azure Route Server, which provides very little troubleshooting options. 
I can see the BGP traffic from ARS arriving at Checkpoint, but I cannot see Checkpoint trying to communicate with ARS. So that's why I'm thinking I missed something out on Checkpoint. 

Sorry @Sandgirl , I guess I cant spell properly...lol. I read ASR, so I assumed it was Cisco ASR, my bad, apologies. Ok, so if thats the case, yea, I know, Azure in general does not sadly provide many troubleshooting options at all. Can you actually run fw monitor -F flag I gave in my first response? Also, run ip r g command and then simply put IP address you are trying to reach, so we can confirm the routing part (example ip r g 8.8.8.8)

Andy

The fw -F command didn't return anything. 

ip r g command helped - the traffic is going via the other interface, so once I change the settings on both ends, I can now see the traffic going both ways... although it's still failing... the connection is timing out on Checkpoint end it seems, the ARS sends a message that its Hold time has expired... Or am I reading this wrong? 

If you check my very first response on your post, I gave an example of fw monitor -F command.

idea is this:

fw monitor -F "srcip,srcport,dstip,dstport,protocol" -F "srcip,srcport,dstip,dstport,protocol"

(just an example -> fw monitor -F "1.1.1.1,0,2.2.2.2,179,0" -F "2.2.2.2,0,1.1.1.1,179,0"

I really think that capture would help us here.

Andy 

Hi Andy, 

I run the fw monitor command for few minutes and this is what it returned:

[vs_0][ppak_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27946
TCP: 64818 -> 179 ..R.A. seq=a532c7d3 ack=2ef94736
[vs_0][fw_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27946
TCP: 64818 -> 179 ..R.A. seq=a532c7d3 ack=2ef94736
[vs_0][fw_0] eth1:I[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27946
TCP: 64818 -> 179 ..R.A. seq=a532c7d3 ack=2ef94736
[vs_0][ppak_0] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=61 id=27947
TCP: 64938 -> 179 ...PA. seq=cce9b89b ack=80f42139
[vs_0][fw_1] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=61 id=27947
TCP: 64938 -> 179 ...PA. seq=cce9b89b ack=80f42139
[vs_0][fw_1] eth1:I[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=61 id=27947
TCP: 64938 -> 179 ...PA. seq=cce9b89b ack=80f42139
[vs_0][ppak_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27948
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][fw_1] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27948
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][fw_1] eth1:I[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27948
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][ppak_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27949
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][fw_1] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27949
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][fw_1] eth1:I[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27949
TCP: 64938 -> 179 F...A. seq=cce9b8b0 ack=80f42139
[vs_0][ppak_0] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=52 id=27950
TCP: 65059 -> 179 .S.... seq=f24889d5 ack=00000000
[vs_0][fw_0] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=52 id=27950
TCP: 65059 -> 179 .S.... seq=f24889d5 ack=00000000
[vs_0][fw_0] eth1:I[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=52 id=27950
TCP: 65059 -> 179 .S.... seq=f24889d5 ack=00000000
[vs_0][ppak_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27951
TCP: 65059 -> 179 ....A. seq=f24889d6 ack=6ecba4fd
[vs_0][fw_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27951
TCP: 65059 -> 179 ....A. seq=f24889d6 ack=6ecba4fd
[vs_0][fw_0] eth1:I[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27951
TCP: 65059 -> 179 ....A. seq=f24889d6 ack=6ecba4fd
[vs_0][ppak_0] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=91 id=27952
TCP: 65059 -> 179 ...PA. seq=f24889d6 ack=6ecba4fd
[vs_0][fw_0] eth1:i[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=91 id=27952
TCP: 65059 -> 179 ...PA. seq=f24889d6 ack=6ecba4fd
[vs_0][fw_0] eth1:I[44]: 10.0.4.4 -> 10.6.1.4 (TCP) len=91 id=27952
TCP: 65059 -> 179 ...PA. seq=f24889d6 ack=6ecba4fd
[vs_0][ppak_0] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27953
TCP: 64938 -> 179 ..R.A. seq=cce9b8b1 ack=80f42139
[vs_0][fw_1] eth1:i[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27953
TCP: 64938 -> 179 ..R.A. seq=cce9b8b1 ack=80f42139
[vs_0][fw_1] eth1:I[40]: 10.0.4.4 -> 10.6.1.4 (TCP) len=40 id=27953
TCP: 64938 -> 179 ..R.A. seq=cce9b8b1 ack=80f42139

For some reason I cannot reply to this comment with the output from the fw monitor... 

Hi Andy, 

I've attached the output from fwmonitor as the text file - hopefully it will update this time. 

Small favor @Sandgirl ...I need to know your local CP ip address, as well as remote side. Also, can you send the actual pcap file, rather than txt, as I would like to examine it in wireshark. Please send me offline message or blur out any sensitive info.

Cheers.

I've attached the capture. It's my lab environment. 

Thanks! Can you also please tell us the IP addresses involved (CP and other side)?

Cheers,

Andy

Checkpoint's IPs are: 10.6.0.4 and 10.6.1.4 (the 1.4 is the one in the capture). The other end has two IPs: 10.0.4.4 and 10.0.4.5 (but the capture is just for 10.0.4.4).

Excellent, let me review in a bit. So just to clarify, at this point, you see traffic from CP to the other side, but nothing coming back, right?

Andy

Hi, 

No, 

I can see that ARS is trying to set up BGP with CP, and CP seems to be responding, at least up to a point. 

I cannot see CP trying to set up BGP with ARS. 

I had a quick look at the file you sent and I see lots of FIN-ACKs, as well as retransmissions when I do below filters in wireshark:

tcp.port==179 and ip.addr=10.0.4.4

Here is good command to see what could be happening on CP side and if we see any drops at this point. Please run the tests again and leave this command running on CP firewall (expert mode)

fw ctl zdebug + drop | grep "10.0.4.4" | grep "179"

This will check for any drops for that IP, as well as BGP port (179)

Cheers,

Andy

Ah, yea, those settings are sometimes easy to overlook. Good job! Glad its fixed 💪

Hi Andy, 

Another question. 
So I am now able to set up BGP peering between single Checkpoint and ARS (and Cisco router). 

However when I try to set up a peering between a Cluster and ARS (or Cisco), I'm not able to. 

Is there any additional setting that needs to be enabled somewhere on the Cluster to get it to work? 

No worries, we can start another thread if needed or message me offline, we can do remote session. I know making this work with Cisco is bit tricky, my colleague and I spent 3-4 months until we finally got it working (dont let that discourage you, its probably because took forever to get everyone involved on the same page lol)

Check below settings, make sure they match.

Andy

Hi, 

In the routed_messages and routed.log I keep getting this error: bgp_set_nexthop_address(9933) x.x.x.x [eBGP AS YYYYY] no IPv4 address found to connect. 

in routed.log I also get this message: bgp_use_protopeer x.x.x.x [eBGP AS YYYYY] Unable to find interfaces to reach this peer

When I googled one of these messages, it mentioned a VIP, but I already had VIP set up. 

Finally, I only built a Cisco device to help me troubleshoot the connection - I really want to set it up with Azure Route server. 

I know that with Fortinet and Cisco (not sure if its same with PAN) when you have a cluster, there is no VIP, so every change you made on whichever member is active, it replicates on standby, so logically, in this case, you would most likely enter the IP address of active member. On CP side, its VIP, as per documentation.

Can you verify thats what you actually have set up?

Andy

Hi Andy, 

With some help from the 3rd party I managed to figure it out. Turns out, that I need to set up the BGP peering to the VIP of the 'outside' interface (eth0) not the 'inside' (eth1). Which means I also need  to set up the router ID as the VIP. Once this has been set up, and  the corresponding routing added (route  to the ARS pointing to the default gateway of the 'outside' interface), it all started to work. 

Following from that, I struggled with the failover - the BGP peering and the connectivity only worked when I was using the primary Checkpoint, This is due to Azure's setup. When deploying Checkpoint from the Azure template, the Checkpoint is made a Contributor of the Resource Group it's build. By default this Resource Group also includes a Vnet in which Checkpoint is placed in, but in my setup it wasn't. So, Checkpoints didn't have permissions to move the VIP from primary Checkpoint to Secondary (I found it by running the $FWR/scripts/azure_ha_test.py script). Once I've granted Checkpoint cluster members appropriate permissions, it's all working. 

Phew! That was a difficult one. I feel like I've learnt a lot about Checkpoints in the process! 
Thank you again for all your help! 🙂 

Excellent work @Sandgirl 💪👍👌

Hi

I am also implementing ExpressRoute between my Azure cloud to my on-prim datacenter. Checkpoint firewall's are working as  cluster. Could you please provide me the complete configuration steps to achieve this. Thanks 

Hi, I have same issue but in a cloudguard cluster XL; do you mind pasting the cli bgp config that you used?

(show configuration bgp)

Thank you