This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
DanPamgo
Explorer
‎2025-04-10 03:53 AM

Detect upstream failure and flip BGP default route

I have a 81.20 ClusterXL gateway. It has two interfaces to 2 different ISPs. I receive a default 0.0.0.0/0 route from each one, but using local preference - prefer my 1st ISP.

There have been times where the 1st ISP has an upstream failure, but the BGP session remains up. Therefore, internet connectivity drops.

What is the best way for me to detect this failure and flip the default route (by way of local preference I guess) and then if ISP1 comes back - flip it back. Would this require a script of somes sort?

0 Kudos
2 Replies
LazarusG
Advisor
Advisor
‎2025-04-10 04:29 AM

for an indirect failure I guess some sort of probing to an internet address like 8.8.8.8, then link that to some logic such as isp redundancy (sk34812) or set the default route as a static (not learned from bgp) using ping to 8.8.8.8 and have a floating static to the other peer with a higher rank that takes over if ping on the preferred route fails?

0 Kudos
DanPamgo
Explorer
‎2025-04-10 05:02 AM
In response to LazarusG

I'm follownig you. I think that would work for the outgoing default route problem.

My other concern would be that I advertise a BGP block to both ISP#1 and ISP#2. Except that I use ASPREPEND 5 to ISP#2 to make it the "backup". I would want to flip the ASPREPENDs as well so incoming traffic to my BGP block is also flipped.

I see this script: https://support.checkpoint.com/results/sk/sk35780 , but again - I don't need to failover to another gateway (thats configured the exact same way). I would just need to prefer a different default outbound route and knock the ASPREPEND 5 from ISP#2. Then of course, reverse it when ISP#1 is no longer faulting.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events