Create a Post
Showing results for 
Search instead for 
Did you mean: 

BGP advice for Azure ARS

Hello Guys,

Seek assistance in understanding how we can establish routes from our partner firewall to our Checkpoint firewall through an IPsec tunnel.

In our current environment, we have deployed the Checkpoint firewall on an Azure VM, and the subnets of our internal office locations are connected to an ISP SDWAN. The ISP SDWAN router is further connected to Azure Express Route.

We have successfully configured an IPsec tunnel between our Checkpoint firewall and the partner location. When accessing the partner subnets via the IPsec tunnel from our Azure Vnets, everything works flawlessly without any issues.

However, we have encountered a problem when attempting to announce the 3rd party partner subnet in Azure Express Route to the ISP SDWAN router. The routes are not being distributed between the ISP SDWAN and Azure Express Route. Consequently, any user trying to connect to the partner subnet from office location they experiences dropped traffic at the ISP SDWAN router. Even manually announcing the partner router in the ISP SDWAN router does not resolve the issue. Azure ExpressRoute follows a specific route propagation mechanism and only advertises the subnets associated with Azure resources.When using Azure ExpressRoute, the route propagation is typically automatic and based on the route filters and route table associations configured in Azure.

To address these challenges, we kindly request assistance in clarifying the following queries:

1. Is it possible to configure BGP peering and learn subnets in a policy-based VPN?
2. We currently have a policy-based VPN configuration. Is it feasible to convert it to a route-based VPN and establish BGP? If so, would this impact our existing traffic?
3. What are your thoughts on establishing a GRE tunnel between the Checkpoint and the partner in order to establish BGP peering and learn the subnets?

Our goal is to enable our office location subnets to connect with 3rd party partner subnets via the Checkpoint IPsec tunnel, following the path: Office Router -> ISP SDWAN Router -> Azure -> Checkpoint -> 3rd Party Server.

We planned to deploy Azure Route server (ARS), how effective that ?

We would greatly appreciate your guidance and expertise in finding a suitable solution for this traffic routing challenge.

Thank you in advance for your support.


0 Kudos
3 Replies

Policy-based VPNs must have the encryption domains configured with the relevant subnets that need to be accessed.
To do this based on routing (either static or dynamic), you must use a Route-based VPN.
Converting between the two is possible, of course, but you can also run both domain and route-based VPNs at the same time, subject to some restrictions.
On the Check Point side, you'll need to:

  • Create the VTIs
  • Change the remote encryption domains to "empty" (
  • Configure the routing accordingly (either via static/dynamic routes)

I'm fairly certain adding a GRE tunnel won't make this any easier.

0 Kudos

Hello PhoneBoy,

Thanks for your response. we planned to configure and advertise the route from Azure Router server to ISP SDWAN Router. For that need to configure the eBGP between CP to Azure. However, the state is still in "Active" on checkpoint firewall.

We configured the BGP between Azure to CP and seems config is good. Even we allowed the ACL for port 179 for BGP communication and there is no deny traffic observed in fw zdebug.

Please find the below summary and tcp dump output.

-- eBGP configuration is done based on the sk95967.
-- Configuration wise everything is good.
-- Still BGP on Check Point is stuck in ACTIVE state.
-- Checked tcpdump on port 179, could see SYN, SYN-ACK and ACK completing.
-- Could see Open message from Azure which the proper configuration.
-- After few seconds have noticed Notification message from Azure coming to Check Point stating Hold timer expired.
-- Even after restarting the BGP still BGP states are stuck in ACTIVE state.

TCPDUMP OUTPUT: (Snip Attached)

Thank you for your understanding.




0 Kudos

You probably need to debug BGP here to see what's going on: 
This might also require TAC assistance: 

0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events