This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Scottc98
Advisor
‎2024-02-10 10:24 AM

Block routes from select BGP ASN in path

Wondering if anyone has any BGP route-map examples to block learning any routes that has a select BGP ASN in its path.

I have a cloudguard FW deployed where I am peering with an Azure route server (ARS)  (ASN 65515) and that ARS also is learning routes from an expressroute circuit (ASN 12076).   The ARS has some very limited capabilities and can't put any real filters in place when you redistrobute routes there.    

In this example, I want my cloudguard FW to accept routes that come from the ARS and its direct vnets (65515) but any routes being learned from the expressroute (i.e. has asn 12076 in its aspath), i want to reject.

I have a feeling i can do this with a import route-map configuration on my peer with the ARS using an aspath-regex.

Example:

set routemap ARS-Peer-In id 100 on
set routemap ARS-Peer-In id 100 restrict
set routemap ARS-Peer-In id 100 match aspath-regex "_12076_" origin any
set routemap ARS-Peer-In id 200 on
set routemap ARS-Peer-In id 200 allow
set routemap ARS-Peer-In id 200 match as 65515 on
set routemap ARS-Peer-In id 200 action nexthop ip 10.1.1.1  <= this being the ip of the GW cluster; 10.1.1.2 used on other cluster.
set bgp external remote-as 65515  import-routemap ARS-Peer-In preference 1 on

Is this an ample way to address this?     (## Note:  question relating to ability to block a ASN in a path for check point but accept others; we have confirmed with Microsoft Azure engineering teams that this restriction of ASN 12076 will address our issue)

The other validation I wanted to ask was the use of the routemap IDs and preferences.

  • My understanding is the ID # in the same route-map is the order of processing 
    • Therefore I want my 'restrict' rule above my allow.

In regards to the route map preferences, can you do this same retriction type with various route maps and place in the preference order?

Example:

set routemap ARS-Peer-restrict id 100 on
set routemap ARS-Peer-restrict id 100 restrict
set routemap ARS-Peer-restrict id 100 match aspath-regex "_12076_" origin any
set routemap ARS-Peer-In id 200 on
set routemap ARS-Peer-In id 200 allow
set routemap ARS-Peer-In id 200 match as 65515 on
set routemap ARS-Peer-In id 200 action nexthop ip 10.1.1.1  <= this being the ip of the GW cluster
set bgp external remote-as 65515  import-routemap ARS-Peer-restrict preference 1 on
set bgp external remote-as 65515  import-routemap ARS-Peer-In preference 2 on

 

It feels normal to me for any vendor BGP configuration to have one set of routemaps on a peer and set the order of operations with the route map IDs.     But I wanted to know if i understand the processing here with the multiple map options and preference order if both would indeed be 'inspected' at all times and the preference just is setting the map 'order'.    (a.k.a 'best practice' for routemaps with checkpoint 😉 )

 

Thanks in advance for any assistance 

 

 

 

0 Kudos
9 Replies
the_rock
Legend
Legend
‎2024-02-10 10:52 AM

I hear ya there, BGP with Check Point is WAYYY different than Cisco lol

Anyway, I wish there was way to do routemaps in web UI, hope it becomes available in R82, but for now, here is what I can tell you from my experience. When my colleague and I did this for a customer of ours, restricting via a routemap did not have anything to do with routemap ID. Once I find the fw config, I can send you the example of it, probably tomorrow or Monday.

Best,

Andy

0 Kudos
Scottc98
Advisor
‎2024-02-12 06:50 AM
In response to the_rock

Thanks @the_rock   🙂

0 Kudos
the_rock
Legend
Legend
‎2024-02-12 06:57 AM
In response to Scottc98

Sorry mate, cant find it in client's config, I guess we never ended up doing restrict option, but its essentially how you mentioned in the post itself.

Andy

0 Kudos
Scottc98
Advisor
‎2024-02-13 10:19 AM
In response to the_rock

All good @the_rock  🙂

 

Searching around and may have found some of my own answers.    

  • https://support.checkpoint.com/results/sk/sk100501
    • This is the reference SK on how routemaps work and now bookmarked so i don't have to search for it again 🙂
    • From this SK, it does look like i have both the options to do
      • 1) via one route map and organize via ID # (Putting my blocks lower # than my allows)  or
        • Per SK, "Within a routemap, the same procedure applies when checking individual routemap IDs: the IDs are checked from lowest to highest until a match is found. Therefore, more specific match conditions should have lower IDs or should be present in lower preference routemaps so that they are checked first, instead of being ignored in favor of less specific match conditions."
      • 2) I can do another route map with a different precedence # (placing by block one with a lower preference than my current one used to ensure its matched first)
        • Per SK "When multiple import routemaps or export routemaps are configured for the same protocol, the routemap with the lowest configured preference value is applied first; if no match is found, the next highest preference is checked, etc."
  • For the AS path examples, this SK is now a keeper for me  "https://support.checkpoint.com/results/sk/sk103047"

 

I'll review internally and also with my internal checkpoint team on the best path here to go.   The additional route-map here might be the easiest and cleanest path since my existing ones are using a preference of 8 today (i.e. a lower one is available) and might allow for a nice clean route map name that has some context

(note:   it would be nice to have a 'comment' field to use on routemaps so we can note what each map or ID entry is intended for 😉  )

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-13 10:21 AM
In response to Scottc98

I feel like I would know that sk number in my dreams lol. Heard it so many times from TAC people when my colleague and I were helping a customer couple of years back for BGP issue.

Here is section I always found was most relevant as far as route restrict.

Best,

Andy

 

(4-C) Restricting routes while exporting

  1. Create a routemap to export a set of routes that you wish to restrict a subset of (see the"Exporting all routes from one or more protocols" section or "Exporting only selected routes" section above).

  2. Create a separate new routemap, and create one routemap ID belonging to it for each set of match conditions you wish to specify:

    HostName> set routemap ROUTEMAP_NAME id ID_NUMBER on

  3. For each ID, set the ID type to "Restrict" to block the routes matched:

    HostName> set routemap ROUTEMAP_NAME id ID_NUMBER restrict

  4. Set the export routemap on the protocol, to which you wish to export the routes:

    HostName> set PROTOCOL export-routemap ROUTEMAP_NAME preference ROUTEMAP_PREFERENCE_NUMBER on

    Notes:

    • There will be two export routemaps - one routemap to restrict routes, and one routemap to allow them.
    • The restrict routemap should have a lower preference value, so that it takes priority over the allow routemap. Otherwise, the allow routemap may allow routes that you wish to restrict, since it is matched first.

  5. Save Gaia configuration:

    HostName> save config

Example:

Using the following routemaps:

  • routemap 'bgp_export' from the "Exporting only selected routes" section as the "Allow" routemap
  • new routemap as the "Restrict" routemap

Notes:

  • The preference value for the "Allow" routemap is higher than the preference value for the "Restrict" routemap, so the restrict routes are matched first.
  • The command to set the "Allow" routemap for BGP is re-stated here. This restrict routemap will restrict routes from BGP AS 100 that are in the prefix 192.168.0.0/16.

Commands:

HostName> set routemap bgp_restrict id 1 on
HostName> set routemap bgp_restrict id 1 match as 100
HostName> set routemap bgp_restrict id 1 match network 192.168.0.0/16 all
HostName> set routemap bgp_restrict id 1 restrict
HostName> set bgp external remote-as 1 export-routemap bgp_restrict preference 1 on
HostName> set bgp external remote-as 1 export-routemap bgp_export preference 2 on
HostName> save config
0 Kudos
Scottc98
Advisor
‎2024-02-20 05:18 PM
In response to the_rock

Just a quick update:

Was able to deploy this restriction safely last week and it did work as designed.    After review of the existing routemaps, we ended up adjusting with a lower ID within the existing maps verses creating a new one with different preferences.  

There was also a need to tag some 'no-advertise' communities on our exports that worked out as planned.

A couple of notes and lessons learned:

  1.  "show bgp peer <Peer IP> adj-rib-out communities"
    1. Nice command to validate the communities being advertised to a peer (before and after to confirm your change worked)
      1. Was really hoping to see from the Microsoft Route Server side on what communities it was receiving but have yet to find out where that can be done with MS docs and engineering support requests.   That command here on the CP side saved me 😉
    2. " show route inactive bgp aspath"
      1. So.....not really a fan here on the CP that I can still see these routes I am restricting via "show bgp peer <peer ip> received"
      2. And.... "show bgp peer <peer ip> adj-rib-in aspath"  doesn't show the restriction either.
      3. Lack of grep on these 'show' commands can be a pain when dealing with a lot of routes as well 😞
      4. Using this command does allow me to dump the output and check manually if there are any routes I am hiding/inactive outside of the as 12076 I was intending to block. 
        1. Combo with just "show route inactive bgp" shows the code of "H" for hidden on these 

 

Honestly, the lack of grep type of commands where you can look granular would have been a huge help (GAIA OS cli request 😉 ). 

Dumping the outputs to comb through was a bigger drag that it should have but noted for future deployments at this time 🙂

 

Thanks for everyone's help and insights......hope this helps out others with similar deployments 🙂 

 

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-20 06:24 PM
In response to Scottc98

Thanks for sharring @Scottc98 , appreciated. I get what you mean by grep, I always found that super challenging as well.

Best,

Andy

0 Kudos
DZ_KB
Collaborator
‎2024-02-22 07:00 AM
In response to the_rock

Hi @the_rock ,

Do you think that commands below:

HostName> set routemap bgp_restrict id 1 on
HostName> set routemap bgp_restrict id 1 match as 100
HostName> set routemap bgp_restrict id 1 match network 192.168.0.0/16 all
HostName> set routemap bgp_restrict id 1 restrict
HostName> set bgp external remote-as 1 export-routemap bgp_restrict preference 1 on
HostName> set bgp external remote-as 1 export-routemap bgp_export preference 2 on
HostName> save config


can be written like this:


HostName> set routemap bgp_restrict_and_export id 1 on
HostName> set routemap bgp_restrict_and_export id 1 match as 100
HostName> set routemap bgp_restrict_and_export id 1 match network 192.168.0.0/16 all restrict on
HostName> set routemap bgp_restrict_and_export id 2 on
HostName> set routemap bgp_restrict_and_export id 2 match protocol ospf2
HostName> set routemap bgp_restrict_and_export id 2 match network 10.0.0.0/8 between 24 and 32
HostName> set routemap bgp_restrict_and_export id 2 allow
HostName> set routemap bgp_restrict_and_export id 3 on
HostName> set routemap bgp_restrict_and_export id 3 match as 100 on
HostName> set routemap bgp_restrict_and_export id 3 allow
HostName> set bgp external remote-as 1 export-routemap bgp_restrict_and_export preference 1 on
HostName> save config


or like this:

HostName> set routemap bgp_restrict_and_export id 1 on
HostName> set routemap bgp_restrict_and_export id 1 match as 100
HostName> set routemap bgp_restrict_and_export id 1 match network 192.168.0.0/16 all
HostName> set routemap bgp_restrict_and_export id 1 restrict
HostName> set routemap bgp_restrict_and_export id 2 on
HostName> set routemap bgp_restrict_and_export id 2 match protocol ospf2
HostName> set routemap bgp_restrict_and_export id 2 match network 10.0.0.0/8 between 24 and 32
HostName> set routemap bgp_restrict_and_export id 2 allow
HostName> set routemap bgp_restrict_and_export id 3 on
HostName> set routemap bgp_restrict_and_export id 3 match as 100 on
HostName> set routemap bgp_restrict_and_export id 3 allow
HostName> set bgp external remote-as 1 export-routemap bgp_restrict_and_export preference 1 on
HostName> save config

 

 

 

0 Kudos
the_rock
Legend
Legend
‎2024-02-26 07:40 AM
In response to DZ_KB

Yes, but slightly different...see below.

Andy

 

test-fw> set routemap bgp_restrict_and_export id 2 match network 10.0.0.0/8 between
Configures the Route Map to match routes that are within the given
IPv4 or IPv6 subnet and which have a mask length that is between
the given range of values.

Value: 1 - 32 (IPv4 subnet mask length)
(or)
1 - 128 (IPv6 subnet mask length)

For a given Route Map ID, only one match condition for a given subnet
can exist. E.g., the following command sequence will cause the first
command to be overwritten by the second:

set routemap A id 1 match network 10.1.3.0/24 between 24 and \
27 restrict on
set routemap A id 1 match network 10.1.3.0/24 between 28 and \
32

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events