This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nflnetwork29
Advisor
‎2023-02-07 06:21 AM

Received BGP routes appear as hidden

I've set up most of the BGP in gaia os but im having some trouble getting the routes to appear in my routing table . I do see them under routing monitor but they appear as hidden.

 

[Expert@cp02:0]# clish -c "show route all" | grep 10.207
B          H i  10.207.0.0/24       via 10.101.24.17, eth4.402, cost None, age 58408
B          H i  10.207.0.0/24       via 10.101.24.1, eth4.401, cost None, age 58200
B          H i  10.207.0.0/24       via 10.101.24.33, eth3.403, cost None, age 57769
B          H i  10.207.3.0/24       via 10.101.24.17, eth4.402, cost None, age 58408
B          H i  10.207.3.0/24       via 10.101.24.1, eth4.401, cost None, age 58200
B          H i  10.207.3.0/24       via 10.101.24.33, eth3.403, cost None, age 57769

 

What am i missing?

I've already gone thru the checkpoint BGP guide but im stuck . Can someone please help me to get this going ?

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-02-07 06:54 AM

Generally it will be one of the following:

- no route filter or route-map accepting the routes

- the routes are superseeded by static entries

- the as-path of the route has the local-as prepended which triggers loop prevention (unless you make allowances for it or fix it)

- The next-hop of the route is not as expected

CCSM R77/R80/ELITE
0 Kudos
nflnetwork29
Advisor
‎2023-02-07 06:59 AM
In response to Chris_Atkinson

thank you for the reply how would i go about creating this? ( I did not see this on documentation) 

Is it thru CLI only?

- no route filter or route-map accepting the routes

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-02-07 07:39 AM
In response to nflnetwork29

It's available via both Web UI & CLI.

E.g. Web UI: Advanced Routing > Inbound Route Filters.

This is easier than route-maps but not as granular.

If that doesn't resolve the problem outputs such as "show route bgp aspath " will be helpful.

 

 

CCSM R77/R80/ELITE
0 Kudos
nflnetwork29
Advisor
‎2023-02-07 08:40 AM
In response to Chris_Atkinson

HI Chris, 

Here you go 

set inbound-route-filter bgp-policy 512 based-on-as as 64690 on
set inbound-route-filter bgp-policy 512 accept-all-ipv4
set inbound-route-filter bgp-policy 516 based-on-as as 64700 on
set inbound-route-filter bgp-policy 516 accept-all-ipv4

 

aaa-cp02> show route bgp aspath
Prefix               Nexthop              AsPath

10.207.0.0/24        10.101.24.1          (64541),64690,64899,Incomplete.(Id-3)
                     10.101.24.17
10.207.3.0/24        10.101.24.1          (64541),64690,64899,Incomplete.(Id-3)
                     10.101.24.17
aaa-cp02>

 

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-02-07 02:18 PM
In response to nflnetwork29

To confirm what local-as is the Check Point configured for is it one of the as listed there?

Refer also:

https://community.checkpoint.com/t5/Security-Gateways/My-BGP-routes-are-showing-as-Hidden-and-Inacti...

CCSM R77/R80/ELITE
0 Kudos
nflnetwork29
Advisor
‎2023-02-07 03:05 PM
In response to Chris_Atkinson

Local AS 64541

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-02-07 02:49 PM
In response to nflnetwork29

My colleague and I worked with a large client and TAC on this for 4 months until we figured it out. I will look at their config tomorrow to see what you might be missing, but I believe what Chris mentioned makes sense.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events