Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

BGP routing through R80.10 gateway and packet inspection

We are currently looking to locate a VPN router within a DMZ and to establish a BGP session to an internal router that sits behind a Checkpoint R80.10 gateway. Other than inspecting the BGP session packets would the firewall also inspect the packets between the two hosts as shown in the diagram? For example, if host A was attempting to SSH to host B would the firewall block that connectivity unless a firewall rule was configured to allow it? 

0 Kudos
2 Replies
Highlighted

Sure, traffic between host A and B would still have to cross the firewall. BGP isn't a tunnel its just a distributed route database application basically. 

I think a problem you should keep in mind is the firewall will need to know what networks exist behind the VPN router and topology will need to be updated to reflect this.

In addition assuming the BGP peers on on different ASes you'll need to tweak the BGP conf with ebgp multi-hop and possibly next hop self. You'll need the multi hop because ebgp defaults to a IP TTL of 1. With ebgp multihop 2 it becomes 2 and you'll be able to reach the router that is one hop away.

Highlighted
Ivory

Hi John,

thanks for your swift reply!

This is what I thought but wanted to make sure before implementing the solution.

I had also read about the impact on the ebgp multi-hop value.

Thanks for confirming.

0 Kudos