This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Brianpiraty_Ale
Contributor
‎2019-10-04 08:29 AM

BGP

need to announce the x.x.x.x/x network from firewall to the different AS.

 

Do I need to have x.x.x.x/x in the firewall's routing table.

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2019-10-04 06:11 PM

The route has to come from somewhere (another routing protocol or a static route).
0 Kudos
vinceneil666
Advisor
‎2021-03-31 12:09 AM

Hi,

You will, as  @PhoneBoy say, have the route as either a static or from another routing proto like ospf.

If you want to test something, lets say before things come online or even for some production enviroments, you can add a Null0 route, also known as a blackhole route.

You just add the route as usual, choosing blackhole as gateway - then it will be available for redist in BGP. 

So if you want to redist to another AS, depending on your design of course, you could do a blackhole static to (example) 192.168.22.0/24 ..and then that can be redistributed even if the link providing that interface is down - or some other routing protocoll brings it down. .. Note that looking at metrics and priorites etc etc.. Best to have a wider blackhole route than using the exact same as the one you want to get over - a blackhole pretty much just drop the traffic.

 

If you have eBGP to your ISP and you have gotten a /20 prefix with public ip addresses to use. You would put up a blackhole route on your end for that /20 prefix and use it for redist - then the more specific routes in your IGP would take precedence over the wide blackhole. Thus dropping all traffic that is not explicit routed in your network to blackhole. So if you get an interface or a static route with /24 within the same prefix it will take precedence and route it correctly.. but the redistributed prefix is still the /20 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2021-03-31 05:19 AM
In response to vinceneil666

Up through R80.40, adding a blackhole route for the prefix you want to advertise was the preferred way to make it exist in the routing table.  Can look a bit confusing to someone else but it got the job done.  Starting in R81 Check Point has introduced the concept of "NAT Pools" which is a much more elegant way to accomplish this; here is an excerpt from my Gaia 3.10 Immersion class mentioning this new feature:

NATPools.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-09-25 03:26 AM
In response to Timothy_Hall

hello timothy,

any impact on the network added to Nat Pools ?

Let's say i wanna redistribute 10.0.0.0/10 to a BGP Peer but i have a lot of smaller networks with different next-hop, can i safely add 10.0.0.0/10 to nat Pools to include them all and redistrute it? or it is better to work with Route aggregation?

 

thank you

 

thanks

0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-10-11 12:44 PM
In response to Timothy_Hall

Hello Timothy,

i tried nat pools and i confirm that it works, i can redistribute to bgp peers. (i tried with a host inside a network)

But something ugly happens in routing tables:

 

Cattura.JPG

 Let's say i wanna enlarge /32 to /25 network, it is safe?

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2023-10-11 04:21 PM
In response to CheckPointerXL

Why are you using a NAT Pool that overlaps with an existing route in this way, what is the use case?

If you already have a route for the /24 why would you need a NAT pool the same mask length...

CCSM R77/R80/ELITE
0 Kudos
CheckPointerXL
Advisor
Advisor
‎2023-10-11 11:13 PM
In response to Chris_Atkinson

Hello Chris,

The use case is to redistribute a network not in routing table.

This happens to me in a lot of customer: usually they wanna redistribute one larger network which includes lot of smaller net with different next hop.

please take a look to my example below about 10.0.0.0/10 network.

In other use case i need every time to add a static route to make it elegible for redistribution

 

 

 
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events