Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Rick_Ther
Explorer
Jump to solution

Dynamic Routing - Real World Experience

Hello all,

I consider to configure dynamic routing (main goal is OSPF, potentially BGP for some specific needs) on some of our Checkpoint appliances. In the past we avoided to apply any dynamic routing on our checkpoint firewalls. However, for some needs it would be really beneficial.

The SMS is running in R80.30

The SGWs are running in R80.30 (some are still in R77.30, but the question specifically targets for R80.30)

 

  • Can i still sleep well at night doing this? 🙂
  • To everybody who has deployed it in critical networks. What are your real world experiences with this? Is it stable? No drawbacks/strange behaviors when used in ClusterXL deployments? Discovered unexpected limitations etc. etc.
    I´m really targeting for the field experience here.

 

Please specify if you are talking about OSPF or BGP.

 

Regards

0 Kudos
1 Solution

Accepted Solutions
HeikoAnkenbrand
Champion Champion
Champion

Hi @Rick_Ther 

OSPF works fine under R80.30. Gaia supports OSPFv2, which supports IPv4 addressing, and OSPFv3, which supports IPv6 addressing. You can run OSPF over a route-based VPN by enabling OSPF on a virtual tunnel interface (VTI).

CUT>>>
Can i still sleep well at night doing this?
<<<CUT

Answer: YES 😀

Here you can find further information:

Gaia Advanced Routing R80.30 Administration Guide -> OSPF 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips

View solution in original post

7 Replies
HeikoAnkenbrand
Champion Champion
Champion

Hi @Rick_Ther 

OSPF works fine under R80.30. Gaia supports OSPFv2, which supports IPv4 addressing, and OSPFv3, which supports IPv6 addressing. You can run OSPF over a route-based VPN by enabling OSPF on a virtual tunnel interface (VTI).

CUT>>>
Can i still sleep well at night doing this?
<<<CUT

Answer: YES 😀

Here you can find further information:

Gaia Advanced Routing R80.30 Administration Guide -> OSPF 

➜ CCSM Elite, CCME, CCTE ➜ www.checkpoint.tips
John_Fleming
Advisor

I like to set ospf priority to be 0 so that the checkpoint never becomes the DR. Also make sure router-id is the same on the hosts in the same cluster.

Chris_Atkinson
Employee Employee
Employee

Depending on your topology the new clustering and dynamic routing features of R80.40 may be worth considering.

CCSM R77/R80/ELITE
0 Kudos
Matthias_Haas
Advisor

we had a couple of issues which I´d like to share with you:

- OSPFv2: Gracefull Failover did not work correctly:
The Grace-LSA packet, generated by the Firewall does not contain a TLV which includes the IP address of the Interface (as required by RFC3623) which cause the other Router to shut down the adjacencie with the Firewall which in turn causes a connectivity loss for a couple of seconds
We got a hotfix but not sure if this is now part of a Take


- OSPFv2 with MD5 enabled: looks like the Sequence Number is not synchronized between a Cluster which could cause the other routes to detect a "replay attack" after a failover
We did not raise a SR, so may be this problem still exists

In both cases the failover works but not as smooth as possible because the adjacencies have to be build up again. Depending on what you expect, these are minor issues.


- OSPFv3: core dump if the same VRIDs are used on multiple interfaces
(but may be this is rather a misconfiguration)


- OSPFv3: when the OPSF Area is of type stub or totally stub area, the Checkpoint will not accept the default route propagated by a router (we tested this with divers Cisco IOS version, FRRouting and Arisat vEOS)
It works if you are in a Checkpoint only environment. Other padding scheme for the Inter-Area-Prefix representing the default-route (::/0) in CP Gaia. CP Gaia adds 4-Byte of zeros. All other vendors doesn’t use padding at all for 0-bit long prefix
Severe bug, fixed with R80.40

 

 

0 Kudos
Rick_Ther
Explorer

@Matthias_Haas , thank you for this input. I was really hoping to get some feedback like this. Not that I wanted to hear it was not working as expected ;-D, but the potential issues for OSPF running on checkpoint. I´ll check if the fix for the first issue you mentioned is included in the current jumboHF.

OSPFv3 is not relevant for us right now.

0 Kudos
RoyS
Employee
Employee

HI Rick ,

 

First issue mention  is not related to CXL .

 

CXL operation is different from VRRP .

 

In CXL OSPF database is synced across CXL members so after failover we continue from the same point prior to the fail-over what will result in smooth fail-over .

 

Graceful restart restarter is not supported or needed on CXL , only  Graceful restart helper is supported to prevent outage if peer is in restart mode.

 

Issue described is in VRRP Graceful restart restarter.

 

I am not familiar with the second issue , MD5 crypto sequence is synced between CXL member so you can expect smooth fail-over .

 

Thanks

Roy

0 Kudos
Rick_Ther
Explorer

@Chris_Atkinson 

I just had a look to the release notes. Looks promising. Not what we are looking for right now (for the cluster i mean), but i´ll definitly keep the new ClusterXL mode and the Geo-Clustering in mind for the future

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events