This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ralitsa_M
Explorer
a week ago

SMB 1900 Appliance Advertise only default route over BGP

We’re trying to make sure that only the default route gets advertised from the 1900 SMB cluster. Right now, we’re using a routemap to export the default route, but it looks like it’s also matching all other static routes on the firewall - which isn’t what we want. This could cause issues in our setup, especially if more specific routes start taking precedence over connected networks in the peering VRF.
We’ll be filtering the accepted routes on the peering switches as a safeguard, but ideally, we want to get the export right from the start and only send the default route.
Is there a way to tweak the routemap so it matches just the default route and nothing else?

Thanks!

Check Point's 1900 Appliance Gaia Embeded R81.10.17 - Build 653

set routemap defaultRoute id 10 on
set routemap defaultRoute id 10 allow
set routemap defaultRoute id 10 match network 0.0.0.0/0 exact
set routemap defaultRoute id 10 match protocol static

0 Kudos
10 Replies
the_rock
MVP Gold
MVP Gold
a week ago

Your routemap specifically says to match exactly 0.0.0.0/0. Can you change it to match only whats required?

Best,

Andy

Best,
Andy
0 Kudos
Ralitsa_M
Explorer
a week ago
In response to the_rock

Hi Andy,

Thanks for getting back to me. I might be misunderstanding your point - my current routemap is already set to match exactly 0.0.0.0/0.

The issue I’m seeing is that even with that configuration, given the example routing table below, the router still advertises 10.0.0.0/8 and 172.16.0.0/12 along with the default route.

I can't share the BGP advertisement output as currently the sessions are not established. 

Here’s an example from the routing table:

> show route
Codes: C - Connected, S - Static, R - RIP, B - BGP (D - Default),
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed,
NP - NAT Pool, U - Unreachable, i - Inactive

S 0.0.0.0/0     via 192.168.2.1, LANBOND0.$$, cost 0, age 3036778
S 10.0.0.0/8    via 192.168.1.1, LANBOND0.%%, cost 0, age 3036778
S 172.16.0.0/12 via 192.168.1.1, LANBOND0.%%, cost 0, age 3036778

Could you clarify what you mean by “change it to match only what’s required”? Are you suggesting a different match condition or an additional filter in the routemap?

0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago
In response to Ralitsa_M

I could be mistaken, but 3rd line states to match exactly 0.0.0.0/0. Would that not match EVERYTHING?

 

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
a week ago
In response to Ralitsa_M

Here is example we used in sase.

set inbound-route-filter bgp-policy 1000 based-on-as as 65001 on

set inbound-route-filter bgp-policy 1000 restrict-all-ipv4

set inbound-route-filter bgp-policy 1000 route 10.255.0.0/16 normal on

Best,
Andy
0 Kudos
Chris_Atkinson
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
a week ago

If you add another portion to the routemap say id 100 as restrict do you still see the same behavior? e.g.

set routemap defaultRoute id 100 on

set routemap defaultRoute id 100 restrict

CCSM R77/R80/ELITE
the_rock
MVP Gold
MVP Gold
a week ago
In response to Chris_Atkinson

Good call Chris. I believe my colleague had to do the same for a customer for SASE issue we had.

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
Friday

Hey @Ralitsa_M 

Let us know if what Chris and I gave helps, or if not, how it gets solved.

Best,
Andy
0 Kudos
Ralitsa_M
Explorer
Friday
In response to the_rock

@the_rock @Chris_Atkinson  Thanks both! I'll test this and get back to you.

0 Kudos
the_rock
MVP Gold
MVP Gold
Friday
In response to Ralitsa_M

Fingers crossed...hope it works!

Best,
Andy
0 Kudos
the_rock
MVP Gold
MVP Gold
Friday

I checked with one of my colleagues about this, he said TAC have him an additional command to run, might be worth a case.

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events