Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader

How do I distribute default alternate route in my scenario using BGP on Check Point?

Hi Team,

I have a below scenario FW and FW2 both are in eBGP and are Check Point 6000 series firewalls. while FW1 is having BGP peering with R1, R2, R3

Both FW1 and FW2 are having different Internet pipes. So I would like to achieve for hosts 192.168.47.98 whose default gateway is 192.168.47.96 while default gateway for 192.168.47.99 is 192.168.47.95.

So if internet pipe fails on FW2 it should route through FW1 and vice -versa. I am not sure how to configure the default gateway in BGP as a alternate router while peering with FW1 and with Routers from FW1 is  working fine.

Between FW1 and FW2 eBGP is configured using link10.30.30.20 & 10.30.30.40. Can someone pls help me on BGP?

 

 

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
8 Replies
Blason_R
Leader
Leader

Do I need to configure iBGP between firewalls? Wondering how do I give distribute default-gateway?

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
vinceneil666
Advisor

I am having a bit of a hard time understanding your setup - for me itt looks like the one FW has all the different internet links connected to it ? 

I would think that a mix of local pref and as prepending will get this done - and, depending a bit on what you want - some kind of pbr ...  But please, could you clarify ? 🙂

0 Kudos
Blason_R
Leader
Leader

Hi there,

My bad for creating confusion. Well, I have two separate firewalls managed by same management server and its plain BGP. On one of the firewall there are links connecting R3 and have servers behind there. I have 3 links going to R3 and have eBGP configured between them. FW1 has a ISP Connection and FW2 has as well a separate connection.

What I would like to achieve is if Internet at FW2 goes down I want traffic originated from 192.168.47.x range should take FW2 -> FW1 and then to Internet. Same with FW1.

That is if Internet link at FW1 fails - > Then traffic from 192.168.47.0 should go out from FW1 -> FW2 and then out. 

How do distribute Default gateway between FW1 and FW2 so that link redundancy can be achieve if link failover at either  location happens.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Srdjan_B
Collaborator

How is routing with ISP done now? Are you using BGP or static? In other words, how is default route configured now, is it being received via BGP from ISP or it is configured as a static route?

0 Kudos
vinceneil666
Advisor

I see,

The subnet you have for 192.168.47.0/24 is connected to both firewalls - that will be a bit problematic, so for starters I would clean that up. Now, I dont know the reason for why you have done it like so. But I would consider removing the interface on fw1 (192.168.47.95) to start.

Then, since fw1 and fw2 has eBGP established the traffic between them - all internal traffic should be fine - at least you need to make sure it is fine before you move on.  (traffic flow from 192.168.47 to 172.16.9..etc etc)

Then I would make sure that FW1 redistributes its default route to FW2 (as64512 -> as64514), and for this I would use AS-prepend so that it wont kill of the allready excisting default route in FW2.  (are the two excisting default routes static, or are they bgp routes from isp?)

You will need to create a route map, lets say "rm-default-out" , make sure you do a match on "0.0.0.0/0 exact" Also, in the route map, make sure you set an action doing as-prepend "action aspath-prepend-count 5"  .. I usually use 5, 2 or 3 is fine too.

Attach this route map to your external remote-as , as an export/out-bound.

This should make sure that the default route you send to fw2 has its AS number added inn 5 times in the path - thus making it less valueable than the exsisting one. . in general ..something like this will work.

But yeah, the drawing tells me that the two fw's have a eBGP connection.. and is your excisting def route static or bgp ? 

0 Kudos
Blason_R
Leader
Leader

Yeah - Thats right - Considering there is a L3 switch below firewall at 192.168.47.0/24 network the servers wont be connected directly to firewall. But yes thanks for the heads up about route-map and as-path prepend. I had no clue about sending default route update to other firewall with less value so that other firewall will be used in case of failure.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Srdjan_B
Collaborator

Just keep in mind, BGP route received from another firewall will work only if you are also receiving default route from ISP via BGP. If you have static route to ISP, you would have to use ip-reachability-detection to detect if ISP is available and automatically remove static route when ISP connection is lost. Otherwise, static route to failed ISP will take precedence over route received via BGP. But generally speaking, if you are already running BGP on the GW, it would be best to switch to BGP with ISP and remove static default.

One more thing to check is topology/anti spoofing. If interfaces between firewalls are defined as Internal, they may drop traffic from public IP addresses.

0 Kudos
Blason_R
Leader
Leader

Ah - Thats a nice information and thanks for heads up.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events