Thank you Chis for your quick response.

I am looking for complete steps, it is without VPN. 

Some of the points I have noted. RID should be the VIP and configure eBGP multi-hop option and define the TTL value... 

For those reading and able to offer assistance, which side of the connection are the Check Point gateways located: on-prem | cloud | both ?

Hi Chris,

Gateway is located on-prem.

Hi Rock,

Could you please share the screenshots, if possible. Thanks.

I will see what I can send tomorrow.

Heya @HBK 

I had a quick look at customer's config and honestly, as I thought, there is no special instructions we followed, its literally from the link I gave you, so I am sure screenshots wont help. You just need to make sure that BGP peer settings match on the other side and then verify by running show bgp commands in clish what the state is. IF you cant get it going, you can run zdebug for affected peer IP and port 179.

If you need help, let me know, happy to do remote.

Andy

We will be considering an ER backup link as well to Azure through BGP. AS number is the same, but we will be having 2 connections to Azure, so how it would be the configuration in this scenario?

@the_rock @Chris_Atkinson 

Dears,

Could you please advise me on the above?

Hi Blason,

Thank you very much for your response.

If you don't mind, can I have the relevant screenshots for the same?

The second peer details also we will mentioned in the peer group as a secondary IP ?

what about the peer IP in the CP side, since the CPs are clustered we have to use the VIP as peer IP right.

Here is the config - This should give you hint. As I said before ensure to add a rule above stealth rule where source is your Peer IP and destination is your Cluster Object and port is TCP/179

I enabled ECMP here; it may or may not needed in your scenario

set bgp ecmp on
set bgp external remote-as 97xxx on
set bgp external remote-as 97xxx import-routemap "ACCEPTAWSDX" preference 10 on
set bgp external remote-as 97xxx peer 172.43.xx.xx on
set bgp external remote-as 97xxx peer 172.43.xx.xx holdtime 15
set bgp external remote-as 97xxx peer 172.43.xx.xx keepalive 5
set bgp external remote-as 65001 on
set bgp external remote-as 65001 peer 192.168.xx.xx on
set bgp external remote-as 65001 peer 192.168.xx.xx allowas-in-count 5
set bgp external remote-as 65001 peer 192.168.xx.xx holdtime 15
set bgp external remote-as 65001 peer 192.168.xx.xx keepalive 5

set route-redistribution to bgp-as 97xxx from static-route 10.30.10.0/28 on
set route-redistribution to bgp-as 97xxx from static-route 172.16.0.0/12 on
set route-redistribution to bgp-as 97xxx from static-route 192.168.0.0/16 on
set route-redistribution to bgp-as 65001 from static-route 10.30.10.0/28 on
set route-redistribution to bgp-as 65001 from static-route 172.16.0.0/12 on
set route-redistribution to bgp-as 65001 from static-route 192.168.0.0/16 on
set routemap ACCEPTAWSDX id 10 on
set routemap ACCEPTAWSDX id 10 allow
set routemap ACCEPTAWSDX id 10 match network 10.100.0.0/16 exact
set routemap ACCEPTAWSDX id 30 on
set routemap ACCEPTAWSDX id 30 allow
set routemap ACCEPTAWSDX id 30 match network 10.120.10.0/24 exact
set routemap ACCEPTAWSDX id 35 on
set routemap ACCEPTAWSDX id 35 allow
set routemap ACCEPTAWSDX id 35 match network 10.120.11.0/24 exact
set routemap ACCEPTAWSDX id 50 on
set routemap ACCEPTAWSDX id 50 restrict
set inbound-route-filter bgp-policy 512 based-on-as as 97xxx on
set inbound-route-filter bgp-policy 512 accept-all-ipv4
set inbound-route-filter bgp-policy 516 based-on-as as 65001 on
set inbound-route-filter bgp-policy 516 accept-all-ipv4

Hi Blason,

Thank you very much for sharing the configurations.

Currently we are not enabling ECMP and the second link will only for the redundancy if incase of any failure.

As i mentioned in the previous chat, still i have confussion about RID which IP should we need to define, I saw in many post, if the CPs are clusterd the RID must be VIP, in my sceanario i will be having two VIPs. In addition the back up peer ip details where should i need to define. If you will be able to share screen shot, it would be much appreciated.

In cisco I know that, we can create one loop and define the update source as loop back interface, it is bit easy.

Thanks,

to 

I also have some examples if needed.

Andy

@the_rock 

Can I have the same?

BR,

You can, but it all depends what part specifically you need? Prefix-list, routemaps?

Hi 

As I mentioned in the previous conversation, which IP should be my RID?  can I create a loopback and assign the loop back as RID?

Since we have two IP for peering where should I need to add the secondary IP?  Advanced routing-> BGP-> under the peer group -> add both peer IPs its it right way ? Screenshot attached.

Thanks.

You dont assign loopback IP to anything here at all. Just follow below section, it explains it there.

Andy

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_Gaia_Advanced_Routing_AdminGuide/T...

Here is an example from my lab:

[Expert@quantum-firewall:0]# clish
quantum-firewall> show bgp summary

Routing Process BGP
State is on
Local Autonomous System is 65514
Default Weight is 0
IPv4 BGP Route Rank is 170
IPv6 BGP Route Rank is 170
ECMP is off
IGP Synchronization is off
quantum-firewall> show bgp peers

Flags: R - Peer restarted, W - Waiting for End-Of-RIB from Peer

PeerID AS Routes ActRts State InUpds OutUpds Uptime
169.254.21.1 65515 0 0 Active 0 0 00:00:00
quantum-firewall> show bgp
errors - Show error notifications received from BGP peers
groups - Show summary of all BGP peer groups
memory - Show detailed breakdown of BGP memory usage
paths - Show summary of all AS paths stored by BGP
peer - Show information for a BGP peer
peers - Show all BGP peers
routemap - Show import and export Route Maps per peer group
stats - Show BGP statistics
summary - Show summary of BGP information
quantum-firewall> show bgp stats

Peer: 169.254.21.1
Received Sent
Opens 1 1
Notifications 0 1
Updates 0 0
Keepalives 6471 5673
Route Refresh 0 0

quantum-firewall>