8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 1/16

blog.lachmann.orgMy Check Point blog – Notes from a CCSE+

Configuring BGP between Router and Security Gateway running GAIA

Today we’ll have a look at advanced routing and how we can exchange routing

information using the BGP protocol between a Check Point Security Gateway running

GAIA and a Cisco router.

It is common practice to use Internal Routing Protocols (IGPs) like ISIS or OSPF for

carrying your infrastructure addresses and Border Gateway Protocol (BGP) for

carrying Internet prefixes.

I found a very good presentation from Philip Smith who works for Cisco and explains

BGP best practices in detail.

We assume that we have the following setup: a router, connected to the Internet on

one hand and to a Security Gateway on the other hand. The Security Gateway should

tell the router which network it protects using BGP.

Cluster Control Protocol (CCP) overCisco Overlay Transport Virtualization(OTV) or Brocade VCS fabrictechnology.

Hardware of new Smart-1 appliances

Appliance hardware – Updated 30thJune 2014

Check Point on IPv6

Endpoint Security – number of licensedclients does not match the number ofactive clients

Ali Eskiocak on Ask your question

Ali Eskiocak on Ask your question

Toutouyoutou on Determine appliancehardware from command line

next page on Check Point PerformanceEvaluation Utility released

Johnathan on Don’t filter (all) ICMP –you may need it!

July 2014

June 2014

April 2014

March 2014

February 2014

January 2014

November 2013

October 2013

About me Ask your question

Search

Recent Posts

Recent Comments

Archives

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 2/16

Lab Setup for connecting a Check Point Security Gateway to a router

using BGP

In this setup we have the following routing information on the Security Gateway:

firewall> show route all

Codes: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 178

C 127.0.0.0/8 is directly connected, lo

C 192.168.100.0/24 is directly connected, eth1

C 200.200.200.0/24 is directly connected, Mgmt

And this is the routing table for the router:

router#sho ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

August 2013

July 2013

June 2013

May 2013

April 2013

March 2013

February 2013

January 2013

December 2012

November 2012

October 2012

August 2012

July 2012

June 2012

May 2012

March 2012

February 2012

January 2012

December 2011

November 2011

October 2011

September 2011

August 2011

July 2011

June 2011

May 2011

April 2011

March 2011

February 2011

January 2011

December 2010

November 2010

October 2010

September 2010

August 2010

July 2010

June 2010

May 2010

April 2010

January 2010

December 2009

November 2009

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 3/16

Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, GigabitEthernet0/0

L 10.10.10.1/32 is directly connected, GigabitEthernet0/0

192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.100.0/24 is directly connected, GigabitEthernet0/1

L 192.168.100.100/32 is directly connected, GigabitEthernet0/1

192.168.200.0/32 is subnetted, 1 subnets

C 192.168.200.200 is directly connected, Loopback0

Note that the router is using a loopback IP address for establishing the BGP sessions.

See the BGP best practices presentation referenced above for detailed explanation

about this.

Now we configure our (Cisco) Router for an internal BGP (iBGP) session.

interface Loopback0

ip address 192.168.200.200 255.255.255.255

!

!

interface GigabitEthernet0/0

ip address 10.10.10.1 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.100.100 255.255.255.0

duplex auto

speed auto

!

router bgp 12345

bgp router-id 192.168.200.200

bgp log-neighbor-changes

neighbor BGP_TEST peer-group

neighbor BGP_TEST remote-as 12345

neighbor BGP_TEST description iBGP Session between Core and Security Gateway

neighbor BGP_TEST update-source Loopback0

neighbor 192.168.100.1 peer-group BGP_TEST

!

address-family ipv4

redistribute connected

redistribute static

neighbor BGP_TEST soft-reconfiguration inbound

neighbor 192.168.100.1 activate

exit-address-family

!

ip route 0.0.0.0 0.0.0.0 10.10.10.2

At this point the router tries to establish a BGP session with our Security Gateway and

tells it about his own connected and static routes.

But the Security Gateway isn’t answering the BGP requests so let’s move on to the

configuration of GAIA.

October 2009

annoying

Apple

Appliance

Certification

Community

Content Inspection

Data Loss Prevention

Early Availability

Endpoint Security

Fun

GAIA

General

IPv6

OpenServer

Remote Access

Secure Platform

Security Management

Software Blades

Troubleshooting

Uncategorized

Virtual System

VMware

Log in

Entries RSS

Comments RSS

WordPress.org

Categories

Meta

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 4/16

There are different ways to configure BGP, in this example we use the WebUI for it.

First login and change the view to Advanced so that you’re able to see all the menu

items in the WebUI.

Changing the Check Point GAIA WebUI to

Advanced View

Then choose BGP from Advanced Routing menu.

Choose BGP from Advanced Routing

Menu on Check Point GAIA WebUI

On the BGP menu, first check the configuration of the router ID. In our example we use

the real IP address of the Security Gateways external interface.

The next part is to change the Local System Identification.

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 5/16

Change_the BGP Local_System_Identification on Check Point

GAIA WebUI

As shown in the lab setup overview, our AS is 12345.

Save the change. Configuration page looks now like this.

BGP settings of Check Point GAIA WebUI

Now we will add a peer group which will contain our Cisco router as peer.

Add_a BGP Peer_Group on Check Point GAIA WebUI

Enter the peer AS numer. If it is equal to your own AS number, the page will show the

peer group type as Internal, otherwise as External.

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 6/16

Add a BGP Peer Group on Check Point GAIA WebUI

Then we enter the IP address of the Security Gateways external interface again as

Local Address.

And last we add the specific peer by clicking on add peer.

AS lock while adding BGP peer in Check Point GAIA

WebUI

Add BGP peer in Check Point GAIA WebUI

When you click on Show Advanced Settings you’ll see various options including

Logging and Trace Options. I recommend to turn them all on. The information can be

found in /var/log/routed.log and the output looks like this:

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 7/16

[Expert@firewall]# tail -f /var/log/routed.log

Nov 16 15:28:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)

last checked 60 last recv'd 48

Nov 16 15:29:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)

last checked 60 last recv'd 1

Nov 16 15:30:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)

last checked 60 last recv'd 6

Nov 16 15:31:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)

last checked 60 last recv'd 6

Nov 16 15:40:18 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)

last checked 60 last recv'd 60

Nov 16 15:40:18 bgp_send: sending 19 bytes to 192.168.200.200 (Routing AS 12345)

Nov 16 15:40:18

Nov 16 15:40:18 BGP SEND 192.168.100.1+43878 -> 192.168.200.200+179

Nov 16 15:40:18 BGP SEND message type 4 (KeepAlive) length 19

Advanced Logging and Trace Options in Check Point GAIA WebUI

Overview of Peer Group configuration in Check Point GAIA WebUI

Close all configuration dialogs by clicking Save.

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 8/16

Advanced Routing -> BGP menu on Check Point GAIA WebUI

Now we’ll have a look at the routing table of our Cisco router. Will we see the routes

from the Security Gateway?

router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, GigabitEthernet0/0

L 10.10.10.1/32 is directly connected, GigabitEthernet0/0

192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.100.0/24 is directly connected, GigabitEthernet0/1

L 192.168.100.100/32 is directly connected, GigabitEthernet0/1

192.168.200.0/32 is subnetted, 1 subnets

C 192.168.200.200 is directly connected, Loopback0

Nothing has changed here????

Let’s have a look at the Security Gateway:

firewall> show route bgp

Codes: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 9/16

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

No learned routes here!

Checking the operating system routing table in expert mode:

[Expert@firewall]# ip route

192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1

200.200.200.0/24 dev Mgmt proto kernel scope link src 200.200.200.200

default via 192.168.100.100 dev eth1 proto cprd

Nothing here, either. Let’s check again in CLISH:

firewall> show route all

Codes: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 1117

B H 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 294

C 127.0.0.0/8 is directly connected, lo

B H 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 294

C 192.168.100.0/24 is directly connected, eth1

B H 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 294

C 200.200.200.0/24 is directly connected, Mgmt

Here we see BGP routes learned from the router, but the routes are marked “hidden”.

Which means the routing process knows about them because he got the information

from the BGP peer, but is not passing this information along to the routing table of the

Security Gateway.

To solve the task of distributing routes via BGP, we have to configure some more

option in GAIA WebUI.

Select Route Redistribution from Advanced Routing menu.

Route Redistribution menu from

Check Point GAIA WebUI

In our example we want to redistribute the routes from the connected interfaces

through BGP, so select Add from Redistibute Interfaces.

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 10/16

Redistribute_Interfaces menu from Check PoinT GAIA WebUI

Then select to which routing process you want to distribute to.

Redistribute_Interfaces_Choose_Protocol on Check

Point GAIA WebUI

Then select which interface(s) you want to redistribute.

Redistribute Interfaces Choose Interface on Check

Point GAIA WebUI

Then enter a metric and click Save.

Redistribute All Interfaces on Check Point GAIA WebUI

From this point on you will redistribute your routes over BGP to the Cisco router.

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 11/16

Redistribute All Interfaces Summary on Check Point GAIA WebUI

Let’s check with the router:

router#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.10.10.2 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.10.2

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, GigabitEthernet0/0

L 10.10.10.1/32 is directly connected, GigabitEthernet0/0

192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.100.0/24 is directly connected, GigabitEthernet0/1

L 192.168.100.100/32 is directly connected, GigabitEthernet0/1

192.168.200.0/32 is subnetted, 1 subnets

C 192.168.200.200 is directly connected, Loopback0

B 200.200.200.0/24 [200/100] via 192.168.100.1, 00:00:31

At this point we achieved our goals, routes from the Security Gateway are distributed to

the router using BGP.

But what to do if we want to import routes from the router into the Security Gateway?

In this case we have to define Inbound Route Filters. Select the appropriate menu from

WebUI.

Inbound Route Filter Menu on

Check Point GAIA WebUI

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 12/16

Then we need to define a BGP Policy for routes to import. Click on Add BGP Policy.

Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI

Define which routes to accept. In our case we accept all routes from peers in AS

12345.

Inbound Route Filters – Add BGP Policy – Detail on Check Point GAIA WebUI

The summary show you the new BGP policy and from that point on your Security

Gateway accepts routes send by BGP from the Cisco router.

The routing tables looks like this:

firewall> show route bgp

Codes: C - Connected, S - Static, R - RIP, B - BGP,

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 58

B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 58

firewall> show route all

Codes: C - Connected, S - Static, R - RIP, B - BGP,

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 13/16

O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),

A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed

S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 669

B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 62

C 127.0.0.0/8 is directly connected, lo

B 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 62

C 192.168.100.0/24 is directly connected, eth1

B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 62

C 200.200.200.0/24 is directly connected, Mgmt

The last thing I want to show to you are some helpful options or buttons.

Under Advanced Routing -> Routing Options you will find trace options for routing.

Route Options on Check Point

GAIA WebUI

I suggest you turn them on increase the size for the trace files.

Route Options – Trace Options on Check Point GAIA WebUI

Don’t forget to apply the setting with the button on top of this page!

Last thing is the way to restart the routing daemon. The button can be found on the

bottom of the Route Options page.

Restart Routing Daemon on

Check Point GAIA WebUI

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 14/16

Category: GAIA

November 18, 2012 at 3:32 pm 8 comments TobiasLachmann

I hope you liked this little How-To on BGP.

Tobias Lachmann

November 20, 2012 at 7:40 pm Reply

michael endrizzi says:

holy xmas batman. when do you get time to write this book on bgp routing? excellent.

November 29, 2012 at 8:17 pm Reply

Yuri says:

Good write up, may i suggest for site readability to put some of part under CUT ?

January 10, 2013 at 6:00 pm Reply

simon says:

très bien ! as usual

February 24, 2013 at 2:09 pm Reply

David says:

Thank you Tobias this blog steered my project in the right direction

1 question if I may, did you have a problem with BGP having to reestablish during a

clusterXL failover?

August 10, 2013 at 10:04 pm Reply

Olivier says:

Hi,

I wonder why someone wants to use iBGP insted of OSPF for BGP redistribution?

What works best with CheckPoint GAiA and what needs to be known in a cluster (vrrp

or XL) setup?

Thank you, regards,

Xaby says:

How I can configure a iBGP with password in R76 GAIA ?

8 Responses

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 15/16

August 27, 2013 at 8:42 pm Reply

October 5, 2013 at 1:05 pm Reply

Nitin says:

Hi,

I have a R76 GAiA installed in a VSX cluster. BGP is running but I am not able to see a

command “router bgp”, do I need advanced routing license to enable these commands.

I am able to run BGP via commands like:

set as 65300

set bgp external remote-as 65105 peer x.x.x.x on

set bgp external remote as 65105 import-routemap test on

set routemap test id 10 on

set routemap test id 10 allow

set routemap test match protocol bgp.

This way I an able to get the routes but I am not able to control route restriction

between different neighbors within same as.

Nitin

October 6, 2013 at 11:31 am Reply

Tobias Lachmann says:

Dear Nittin,

I can’t tell you for sure if a missing license for this feature will disable the CLI

commands.

However, you need to deploy a license to use dynamic routing etc.

Please see this link for details.

If you really want to use BGP, I advise you to install R77 or the latest available version

at the time.

Check Point has some issues when it comes to dynamic routing but is constantly

working on this.

Best regards,

Tobias Lachmann

Your email address will not be published. Required fields are marked *

Name *

Email *

Website

Leave a Comment

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

http://blog.lachmann.org/?p=1771 16/16

Comment

Send Comment

Proudly powered by WordPress. Design by WPlook