This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AaronPW
Contributor
‎2024-06-19 08:43 AM
Jump to solution

CP3600 BGP Configuration and advertised networks.

Hello.  I'm removing a Cisco router from our network and moving the BGP from that to our 3600 cluster on R81.10.

I see how to setup the Router ID and AS number. 

Where do I specify what networks are advertised as I would on a Cisco setup?  I've looked at some documentation but not seeing anything really on this.  And I have never had to setup BGP on a Checkpoint. 

For example, here is my Cisco config and I am basically moving this to my cluster. 

router bgp 63038
no synchronization
bgp log-neighbor-changes
network 10.1.95.0 mask 255.255.255.0
network 10.95.0.0 mask 255.255.0.0
network 10.88.68.0 mask 255.255.254.0
network 192.168.46.8 mask 255.255.255.248
neighbor 192.168.39.154 remote-as 13955
neighbor 192.168.39.154 next-hop-self
no auto-summary

Labels
0 Kudos
1 Solution

Accepted Solutions
Alex-
Leader Leader
Leader
‎2024-06-19 09:07 AM
Jump to solution

You create a route-map and some conditions to import and export routes into BGP.

for instance:

 

set routemap bgp_export id 10 on

set routemap bgp_export id 10 match protocol static

set router-id <router-id>

set as <as>

set bgp external remote-as <remote-as> on

set bgp external remote-as peer <peer> on

set bgp external remote-as <remote-as> export-routemap routemap bgp_export preference 10 on

And similar for import routes. You will find the exact syntax in the advanced routing guide for R81.10.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

View solution in original post

16 Replies
Alex-
Leader Leader
Leader
‎2024-06-19 09:07 AM
Jump to solution

You create a route-map and some conditions to import and export routes into BGP.

for instance:

 

set routemap bgp_export id 10 on

set routemap bgp_export id 10 match protocol static

set router-id <router-id>

set as <as>

set bgp external remote-as <remote-as> on

set bgp external remote-as peer <peer> on

set bgp external remote-as <remote-as> export-routemap routemap bgp_export preference 10 on

And similar for import routes. You will find the exact syntax in the advanced routing guide for R81.10.

https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_Gaia_Advanced_Routing_AdminG...

AaronPW
Contributor
‎2024-06-28 01:11 PM
In response to Alex-
Jump to solution

set routemap bgp_export id 10 match protocol direct

set bgp external remote-as 13979 export-routemap bgp_export preference 10 on 

This should be exporting my directly attached routes to my peers or did I get this wrong?

Then on the peer I need to be doing a

set bgp external remote-as 65000 import-routemap bgp_export preference 10 on

I can see both sides showing peering with the other, but no routes are being shared.  I've done the config on both sides pretty much identically with the different AS numbers. 

EDIT: I didn't realize my two VM were blocking connections to each other. Oops,  now I'm getting routes.  THANKS to all you fine folks for helping me figure this out. 

0 Kudos
Duane_Toler
Advisor
‎2024-06-28 01:31 PM
In response to AaronPW
Jump to solution

No problem.  Be sure, however, you're not re-exporting things like the static default route.  If you're redistributing statics, then specify the interface in the same routemap ID with a second match clause.  Same goes for a directly-connected interface; no need to redistribute the external/Internet-facing interface.

Assuming eth0 is your external-facing interface (likely the interface facing your peer as well):

set routemap bgp_export id 10 match protocol direct
set routemap bgp_export id 10 match interface eth1
set routemap bgp_export id 10 match interface eth2

 

 You can see what's being received, but hidden by the local FIB manager when routes are offered by each routing protocol:

show route bgp all

Routes with code 'i' are inactive, usually because a better route is already installed or otherwise available from another routing source (such as an existing local static route).

 

Otherwise, enjoy! Glad you got it working; nice job!

 

AaronPW
Contributor
‎2024-06-28 02:54 PM
In response to Duane_Toler
Jump to solution

I will make sure to keep that in mind. And I should say, I figured out the basics of setting up BGP on Checkpoint.  and now that i have a Test VM with R81.10, which I'm using in production, and some Cisco VM I can setup and test the config in my lab.   

Once again, thanks for all the help.  

0 Kudos
Duane_Toler
Advisor
‎2024-06-19 01:22 PM
Jump to solution

To add to the comment from @Alex-: Be sure BOTH cluster nodes are set for the SAME ASN, SAME router-id, and be sure they both have the same routemap commands applied.  Some vendor HA products want the two nodes to have different Router-IDs, but not ClusterXL.  I had a customer try to do different ASN and different router IDs on the ClusterXL nodes; it was as bad as you can imagine.  Don't do that.

Check your Cisco router BGP capabilities, too.  You may want to enable graceful-restart, route-refresh, and communities.  None of these are default on Gaia.

set bgp communities on
set bgp external remote-as PEER_ASN peer PEER_IP graceful-restart on
set bgp external remote-as PEER_ASN peer PEER_IP route-refresh on

 

AaronPW
Contributor
‎2024-06-19 01:41 PM
In response to Duane_Toler
Jump to solution

Thanks to both of you.  This is a bit different than BGP setup than I'm used to so hopefully I don't run into any issues with this after migrating my end over to the Cluster.  I did read that you need to make sure both members of the cluster are configured identically so thank for the confirmation.  Much appreciated. 

0 Kudos
Duane_Toler
Advisor
‎2024-06-19 01:50 PM
In response to AaronPW
Jump to solution

Keep in mind, as with any dynamic routing protocol, it can only originate an advertisement for routes in the FIB ("the route table"), as well as what was learned from other neighbors (the RIB).  If you need to advertise a route that is not directly-attached, then you need to add the route as a static route, THEN advertise it with "match protocol static" and "match interface FOO" where FOO is the outgoing interface for said route.

Let us know if you need any help.

 

CheckPointerXL
Advisor
Advisor
‎2024-06-19 01:58 PM
In response to Duane_Toler
Jump to solution

NAT pools is also other most elegant workaround

 

https://support.checkpoint.com/results/sk/sk179549

AaronPW
Contributor
‎2024-06-20 08:16 AM
In response to Duane_Toler
Jump to solution

All the routes are directly attached routes and this will be my introduction to route maps on the Checkpoint platform.  My upgrade got pushed off until Monday so I'm going to look at it more.  

0 Kudos
Alex-
Leader Leader
Leader
‎2024-06-20 08:21 AM
In response to AaronPW
Jump to solution

In this case you change the protocol to match "direct" in the export route map and all subnets configured on local interfaces should be redistributed.

 

You can use the following commands to check peering and advertisements

show bgp peer <peer-ip>

show bgp peers #displays all peerings

show bgp peer <peer-ip> received

show bgp peer <peer-ip> advertise

AaronPW
Contributor
‎2024-06-20 09:05 AM
In response to Alex-
Jump to solution

Well I don't want all subnets, just those four.  So I make a match statement in my route map config for those networks correct?

0 Kudos
Alex-
Leader Leader
Leader
‎2024-06-20 11:13 PM
In response to AaronPW
Jump to solution

You can add a prefix-list to match your subnets and add the match prefix-list <name> statement in the corresponding route-map entry. 

AaronPW
Contributor
‎2024-06-21 07:21 AM
In response to Alex-
Jump to solution

Thanks.  I'm going to try this Monday.  

Thanks for all the tips. I need to find a way to setup a test system for this so I can test configs and not do them cold on a production system.  But I find that outside of Cisco most other vendors don't have as robust a testing environment.

0 Kudos
Alex-
Leader Leader
Leader
‎2024-06-21 12:18 PM
In response to AaronPW
Jump to solution

It's actually not so complex. Spin up a few VM on your hypervisor of choice and go from there.

All you need is a SMS and two gateways on a virtual network, one in each AS. Load them up with loopback interfaces to simulate local subnets and next-hops for static-routes and play with roadmaps and prefix-lists.

 

When I need to test something, I often use Hyper-V out of the box on a Windows laptop.

Duane_Toler
Advisor
‎2024-06-21 12:30 PM
In response to Alex-
Jump to solution

Yep, what @Alex- says is 100% spot-on.  You can also keep testing with Gaia and routing stuff long after the 15-day eval expires, too.  You can't do anything policy-wise and pass traffic across the gateways, but you don't need that to test routing services and advertisements/announcements.

AaronPW
Contributor
‎2024-06-21 12:36 PM
In response to Alex-
Jump to solution

I'm working on setting up a test lab. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events