Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Blason_R
Leader
Leader
Jump to solution

Advertising default gateway through BGP

Hi Team,

 

I have two firewalls being managed by same management server. These two firewalls are separated in two different office premises however I have a fiber running between those. I need to construct Internet redundancy between those for HO Firewall

I have two ISPs at DC hence if Internet link at HO goes down the default gateway for HO will be 10.10.20.20; else will have a static gateway configured.

I am planning to configure eBGP between HO and DC firewall; since static route has a AD distance 1 it will be picked up on HO firewall while eBGP AD is 20 it will be used as a backup.

I already achieved on other platform using BGP however I am not finding a way on Check Point. Can someone please help?

Indoco-Mgmt.jpg

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
1 Solution

Accepted Solutions
Chris_Atkinson
Employee Employee
Employee

The below assumes the underlying BGP session is setup/established (basic example only).

 

Network: 0.0.0.0/0

DC (Advertise)

Route Redistribution from Static to BGP(65001) matching default route.

HO (Receive)

Inbound route filter for BGP allowing routes from AS65000


Network: 10.10.30.0/24

HO (Advertise)

Route Redistribution from Interface/Static to BGP(65000)

DC (Receive)

Inbound route filter for BGP allowing routes from AS65001

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

Most likely you will need to configure BGP with route-maps ( sk94765 / sk100501 ) to allow the necessary routes in/out.

How does the DC firewall learn about it's own default route, via BGP or other routing protocol(s)?

 

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader

DC does not need to know any routes except 10.10.30.0/24 and its all static routes configured which is default route. Currently the only requirement is routes should be learned from HO firewall and not vice-versa except 10.10.30.0/24.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee

The below assumes the underlying BGP session is setup/established (basic example only).

 

Network: 0.0.0.0/0

DC (Advertise)

Route Redistribution from Static to BGP(65001) matching default route.

HO (Receive)

Inbound route filter for BGP allowing routes from AS65000


Network: 10.10.30.0/24

HO (Advertise)

Route Redistribution from Interface/Static to BGP(65000)

DC (Receive)

Inbound route filter for BGP allowing routes from AS65001

CCSM R77/R80/ELITE
0 Kudos
Blason_R
Leader
Leader

OK - BGP Route learning; I really feel is pretty complicated in Check Point. Honestly this is much simpler in Cisco or Vyatta or even in zebra/quagga

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes it's different, things are done with a security flavor rather than just accept all.

One of the main shortcuts Cisco offers is the concept of "default-originate" in the peer config.

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events