This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
‎2025-07-07 11:21 AM

BGP Graceful Restart in HA cluster in Azure

Hi everyone,

I currently have an Azure-deployed Check Point ClusterXL HA environment (Active/Standby) and I’m considering enabling BGP Graceful Restart.

The current topology looks like this:

  • Two Check Point gateways in a ClusterXL HA setup.

  • Each gateway establishes a VPN tunnel (VTI) to an Azure Virtual Network Gateway.

  • Both firewalls are peering via BGP to a private Azure IP (<BGP Peer IP>), which belongs to the Azure Virtual Network Gateway.

  • The Virtual Network Gateway in turn peers with on-prem Cisco routers through another connection.

Everything is working fine as-is.

My question is:

➡️ If I enable BGP Graceful Restart on member A (which is currently active), is there any risk that this could trigger a failover in the cluster before applying the same setting to member B?

I’m concerned whether this change could:

  • Reset the BGP session on the active member.

  • Potentially cause ClusterXL to detect a failover condition (due to lost routes or VTI reachability loss).

Has anyone here performed this adjustment in a similar Azure setup with Cisco routers behind the Virtual Network Gateway?
Would you recommend applying this live, or is it better done during a maintenance window?

Appreciate any advice or shared experience.

Thanks in advance!

0 Kudos
7 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-07-07 11:33 AM

I tested this in Azure lab last year and was fine, enabling it did not cause any issues, it actually helped. I have a gut feeling that setting is always needed for BGP to fully function without any network outage.

Andy

Best,
Andy
(1)
jennyado
Collaborator
‎2025-07-07 11:43 AM
In response to the_rock

The test you mention, was it also of a cluster?

According to the following sk https://support.checkpoint.com/results/sk/sk100499
I would just need to check the Graceful Restart box.

jennyado_0-1751913786110.png

 



0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-07-07 11:46 AM
In response to jennyado

Yes and yes 🙂

Best,
Andy
(1)
jennyado
Collaborator
a month ago
In response to the_rock

I have a follow-up question regarding this setting.


Would enabling it only on the Check Point cluster side cause any impact on BGP behavior?

I’m asking because I’m not entirely sure if this option can also be enabled on the Azure VPN Gateway side.

If it cannot be enabled on Azure, would it still be safe to activate it just on the cluster side?

And if it can be enabled on both sides, should it be configured simultaneously to avoid any route synchronization or session issues?

Appreciate any insights you can share on this — I just want to make sure we don’t introduce any BGP instability.

Thanks again!

0 Kudos
the_rock
MVP Platinum
MVP Platinum
a month ago
In response to jennyado

I dont have Azure cluster in the lab any more (was costing too much money to keep it on constantly), but to answer your question, when I did have it, I had VPN between on prem cluster and Azure one and my colleague and I also built BGP peering and that setting was enabled on both sides, no issues.

Best,
Andy
0 Kudos
the_rock
MVP Platinum
MVP Platinum
a month ago
In response to jennyado

Hey Jenn,

Just ended up building Azure cluster today to test this (was curious if its same behavior in R82) and was fine, no problems.

Best,
Andy
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
a month ago

Be mindful of the drawbacks of GR for BGP:

https://blog.ipspace.net/2024/01/bgp-graceful-restart-harmful/

You could be doing more harm than good unless you have other ways to detect a potential outage such as ip-reachability-detection with either BFD (single-hop or multi-hop) or ICMP echo; both of which Gaia's BGP supports.  If you use BFD, be sure you enable the control plane check as well (the C-bit) so that you aren't fate-sharing BFD and BGP blindly.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events