This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronPW
Contributor
a week ago

CP3600 BGP Configuration and advertised networks.

Hello.  I'm removing a Cisco router from our network and moving the BGP from that to our 3600 cluster on R81.10.

I see how to setup the Router ID and AS number. 

Where do I specify what networks are advertised as I would on a Cisco setup?  I've looked at some documentation but not seeing anything really on this.  And I have never had to setup BGP on a Checkpoint. 

For example, here is my Cisco config and I am basically moving this to my cluster. 

router bgp 63038
no synchronization
bgp log-neighbor-changes
network 10.1.95.0 mask 255.255.255.0
network 10.95.0.0 mask 255.255.0.0
network 10.88.68.0 mask 255.255.254.0
network 192.168.46.8 mask 255.255.255.248
neighbor 192.168.39.154 remote-as 13955
neighbor 192.168.39.154 next-hop-self
no auto-summary

Labels
0 Kudos
13 Replies
Alex-
Advisor
Advisor
a week ago

You create a route-map and some conditions to import and export routes into BGP.

for instance:

 

set routemap bgp_export id 10 on

set routemap bgp_export id 10 match protocol static

set router-id <router-id>

set as <as>

set bgp external remote-as <remote-as> on

set bgp external remote-as peer <peer> on

set bgp external remote-as <remote-as> export-routemap routemap bgp_export preference 10 on

And similar for import routes. You will find the exact syntax in the advanced routing guide for R81.10.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

Duane_Toler
Advisor
a week ago

To add to the comment from @Alex-: Be sure BOTH cluster nodes are set for the SAME ASN, SAME router-id, and be sure they both have the same routemap commands applied.  Some vendor HA products want the two nodes to have different Router-IDs, but not ClusterXL.  I had a customer try to do different ASN and different router IDs on the ClusterXL nodes; it was as bad as you can imagine.  Don't do that.

Check your Cisco router BGP capabilities, too.  You may want to enable graceful-restart, route-refresh, and communities.  None of these are default on Gaia.

set bgp communities on
set bgp external remote-as PEER_ASN peer PEER_IP graceful-restart on
set bgp external remote-as PEER_ASN peer PEER_IP route-refresh on

 

AaronPW
Contributor
a week ago
In response to Duane_Toler

Thanks to both of you.  This is a bit different than BGP setup than I'm used to so hopefully I don't run into any issues with this after migrating my end over to the Cluster.  I did read that you need to make sure both members of the cluster are configured identically so thank for the confirmation.  Much appreciated. 

0 Kudos
Duane_Toler
Advisor
a week ago
In response to AaronPW

Keep in mind, as with any dynamic routing protocol, it can only originate an advertisement for routes in the FIB ("the route table"), as well as what was learned from other neighbors (the RIB).  If you need to advertise a route that is not directly-attached, then you need to add the route as a static route, THEN advertise it with "match protocol static" and "match interface FOO" where FOO is the outgoing interface for said route.

Let us know if you need any help.

 

CheckPointerXL
Advisor
a week ago
In response to Duane_Toler

NAT pools is also other most elegant workaround

 

https://support.checkpoint.com/results/sk/sk179549

AaronPW
Contributor
a week ago
In response to Duane_Toler

All the routes are directly attached routes and this will be my introduction to route maps on the Checkpoint platform.  My upgrade got pushed off until Monday so I'm going to look at it more.  

0 Kudos
Alex-
Advisor
Advisor
a week ago
In response to AaronPW

In this case you change the protocol to match "direct" in the export route map and all subnets configured on local interfaces should be redistributed.

 

You can use the following commands to check peering and advertisements

show bgp peer <peer-ip>

show bgp peers #displays all peerings

show bgp peer <peer-ip> received

show bgp peer <peer-ip> advertise

AaronPW
Contributor
a week ago
In response to Alex-

Well I don't want all subnets, just those four.  So I make a match statement in my route map config for those networks correct?

0 Kudos
Alex-
Advisor
Advisor
a week ago
In response to AaronPW

You can add a prefix-list to match your subnets and add the match prefix-list <name> statement in the corresponding route-map entry. 

AaronPW
Contributor
Friday
In response to Alex-

Thanks.  I'm going to try this Monday.  

Thanks for all the tips. I need to find a way to setup a test system for this so I can test configs and not do them cold on a production system.  But I find that outside of Cisco most other vendors don't have as robust a testing environment.

0 Kudos
Alex-
Advisor
Advisor
Friday
In response to AaronPW

It's actually not so complex. Spin up a few VM on your hypervisor of choice and go from there.

All you need is a SMS and two gateways on a virtual network, one in each AS. Load them up with loopback interfaces to simulate local subnets and next-hops for static-routes and play with roadmaps and prefix-lists.

 

When I need to test something, I often use Hyper-V out of the box on a Windows laptop.

Duane_Toler
Advisor
Friday
In response to Alex-

Yep, what @Alex- says is 100% spot-on.  You can also keep testing with Gaia and routing stuff long after the 15-day eval expires, too.  You can't do anything policy-wise and pass traffic across the gateways, but you don't need that to test routing services and advertisements/announcements.

AaronPW
Contributor
Friday
In response to Alex-

I'm working on setting up a test lab. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events