This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aswin
Contributor
‎2023-06-07 12:23 PM

BGP advice for Azure ARS

Hello Guys,

Seek assistance in understanding how we can establish routes from our partner firewall to our Checkpoint firewall through an IPsec tunnel.

In our current environment, we have deployed the Checkpoint firewall on an Azure VM, and the subnets of our internal office locations are connected to an ISP SDWAN. The ISP SDWAN router is further connected to Azure Express Route.

We have successfully configured an IPsec tunnel between our Checkpoint firewall and the partner location. When accessing the partner subnets via the IPsec tunnel from our Azure Vnets, everything works flawlessly without any issues.

However, we have encountered a problem when attempting to announce the 3rd party partner subnet in Azure Express Route to the ISP SDWAN router. The routes are not being distributed between the ISP SDWAN and Azure Express Route. Consequently, any user trying to connect to the partner subnet from office location they experiences dropped traffic at the ISP SDWAN router. Even manually announcing the partner router in the ISP SDWAN router does not resolve the issue. Azure ExpressRoute follows a specific route propagation mechanism and only advertises the subnets associated with Azure resources.When using Azure ExpressRoute, the route propagation is typically automatic and based on the route filters and route table associations configured in Azure.

To address these challenges, we kindly request assistance in clarifying the following queries:

1. Is it possible to configure BGP peering and learn subnets in a policy-based VPN?
2. We currently have a policy-based VPN configuration. Is it feasible to convert it to a route-based VPN and establish BGP? If so, would this impact our existing traffic?
3. What are your thoughts on establishing a GRE tunnel between the Checkpoint and the partner in order to establish BGP peering and learn the subnets?


Our goal is to enable our office location subnets to connect with 3rd party partner subnets via the Checkpoint IPsec tunnel, following the path: Office Router -> ISP SDWAN Router -> Azure -> Checkpoint -> 3rd Party Server.

We planned to deploy Azure Route server (ARS), how effective that ?

We would greatly appreciate your guidance and expertise in finding a suitable solution for this traffic routing challenge.

Thank you in advance for your support.

 

Preview file
217 KB
0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2023-06-12 08:14 AM

Policy-based VPNs must have the encryption domains configured with the relevant subnets that need to be accessed.
To do this based on routing (either static or dynamic), you must use a Route-based VPN.
Converting between the two is possible, of course, but you can also run both domain and route-based VPNs at the same time, subject to some restrictions.
On the Check Point side, you'll need to:

  • Create the VTIs
  • Change the remote encryption domains to "empty" (0.0.0.0/0)
  • Configure the routing accordingly (either via static/dynamic routes)

I'm fairly certain adding a GRE tunnel won't make this any easier.

0 Kudos
aswin
Contributor
‎2023-06-12 11:23 AM
In response to PhoneBoy

Hello PhoneBoy,

Thanks for your response. we planned to configure and advertise the route from Azure Router server to ISP SDWAN Router. For that need to configure the eBGP between CP to Azure. However, the state is still in "Active" on checkpoint firewall.

We configured the BGP between Azure to CP and seems config is good. Even we allowed the ACL for port 179 for BGP communication and there is no deny traffic observed in fw zdebug.

Please find the below summary and tcp dump output.

-- eBGP configuration is done based on the sk95967.
-- Configuration wise everything is good.
-- Still BGP on Check Point is stuck in ACTIVE state.
-- Checked tcpdump on port 179, could see SYN, SYN-ACK and ACK completing.
-- Could see Open message from Azure which the proper configuration.
-- After few seconds have noticed Notification message from Azure coming to Check Point stating Hold timer expired.
-- Even after restarting the BGP still BGP states are stuck in ACTIVE state.

TCPDUMP OUTPUT: (Snip Attached)

Thank you for your understanding.

Aswin.

 

 

Preview file
98 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-12 01:52 PM
In response to aswin

You probably need to debug BGP here to see what's going on: https://support.checkpoint.com/results/sk/sk101399 
This might also require TAC assistance: https://help.checkpoint.com 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events