This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
dphonovation
Collaborator
‎2022-12-21 09:24 AM

Disable distribution of default route if peer is down

Right now my switches have a static default gateway set statically. Instead I want to redistribute the default route to them from the checkpoint, but only if my WAN Side BGP peer is up (or alternatively, a ping to something like 8.8.8.8).

I'm using BGP not OSPF but this thread still has answers to apply to me:
https://community.checkpoint.com/t5/Security-Gateways/Checkpoint-Advanced-OSPF-Capability/td-p/6467

So i get that I just need to redistribute a static route of 0.0.0.0 from gaia into the switches. There is also a "Ping" checkbox as in the above thread, on my BGP Peer to my ISP (i suppose I can also work with ISP to enable BFD). But how do I disable the redistribution of 0.0.0.0 to my switches after the BGP peer is noticed down?

0 Kudos
6 Replies
the_rock
Legend
Legend
‎2022-12-21 09:27 AM

I could be mistaken when I say this (hopefully someone from CP will correct me), but I had never found out a way to disable any route on CP. Its either on or you have to delete it, thats it.

0 Kudos
dphonovation
Collaborator
‎2023-01-19 03:11 PM
In response to the_rock

I have a slightly different need to disable redistribution in a diff scenario. ie: BGP over a S2S tunnel and I want to stop redistribution if a specific IP is down.

I tried faking it by adding a static route to the host x.x.x.x/32 with a monitor ping option enabled.

I setup 2 monitors, one for a live IP and one for a dead IP internally. If I switched to the dead ip I could see the route being removed from the kernel table.

I then setup BGP to redistribute this static route, but now the ping monitoring no longer worked. The route remained in the table permanently. As if redistributing it "stuck" it in place or made it ignore the ping monitor. To the point that if I did a show ip-reachability it marked the ip I KNOW FOR A FACT IS DEAD/DOES NOT EXIST as available.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-12-22 06:52 AM

In sk34812: ISP Redundancy configuration, this is done by a script for the active cluster node routes. But this is triggered by ISP Redundancy. A croned script should be able to do this - so i would ask TAC!

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
vinceneil666
Advisor
‎2022-12-23 12:49 AM

BFD would probably be the best option - and yeah, you could talk with your ISP about this. But do note that you can run BFD as a multihop setup to. So - if you have an available node somewhere on the internet (a router on another site for example) you could use that one to.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-12-23 02:24 AM

Why not ask the ISP to advertise you the default route (default originate) and the rest will take care of itself?

CCSM R77/R80/ELITE
the_rock
Legend
Legend
‎2022-12-23 02:47 AM
In response to Chris_Atkinson

Very good point Chris.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top