Configuring BGP Between Router and Security Gateway Running GAIA

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA
http://blog.lachmann.org/?p=1771 1/16
blog.lachmann.org
My Check Point blog Notes from a CCSE+
Configuring BGP between Router and Security Gateway running GAIA
Today well have a look at advanced routing and how we can exchange routing
information using the BGP protocol between a Check Point Security Gateway running
GAIA and a Cisco router.
It is common practice to use Internal Routing Protocols (IGPs) like ISIS or OSPF for
carrying your infrastructure addresses and Border Gateway Protocol (BGP) for
carrying Internet prefixes.
I found a very good presentation from Philip Smith who works for Cisco and explains
BGP best practices in detail.
We assume that we have the following setup: a router, connected to the Internet on
one hand and to a Security Gateway on the other hand. The Security Gateway should
tell the router which network it protects using BGP.
Cluster Control Protocol (CCP) over
Cisco Overlay Transport Virtualization
(OTV) or Brocade VCS fabric
technology.
Hardware of new Smart-1 appliances
Appliance hardware Updated 30th
June 2014
Check Point on IPv6
Endpoint Security number of licensed
clients does not match the number of
active clients
Ali Eskiocak on Ask your question
Ali Eskiocak on Ask your question
Toutouyoutou on Determine appliance
hardware from command line
next page on Check Point Performance
Evaluation Utility released
Johnathan on Dont filter (all) ICMP
you may need it!
July 2014
June 2014
April 2014
March 2014
February 2014
January 2014
November 2013
October 2013
About me Ask your question
Search
Recent Posts
Recent Comments
Archives
Lab Setup for connecting a Check Point Security Gateway to a router
using BGP
In this setup we have the following routing information on the Security Gateway:
firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 178
C 127.0.0.0/8 is directly connected, lo
C 192.168.100.0/24 is directly connected, eth1
C 200.200.200.0/24 is directly connected, Mgmt
And this is the routing table for the router:
router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
August 2012
July 2012
June 2012
May 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
January 2010
December 2009
November 2009
Gateway of last resort is 10.10.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
Note that the router is using a loopback IP address for establishing the BGP sessions.
See the BGP best practices presentation referenced above for detailed explanation
about this.
Now we configure our (Cisco) Router for an internal BGP (iBGP) session.
interface Loopback0
ip address 192.168.200.200 255.255.255.255
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
!
router bgp 12345
bgp router-id 192.168.200.200
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.1 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.1 activate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
At this point the router tries to establish a BGP session with our Security Gateway and
tells it about his own connected and static routes.
But the Security Gateway isnt answering the BGP requests so lets move on to the
configuration of GAIA.
October 2009
annoying
Apple
Appliance
Certification
Community
Content Inspection
Data Loss Prevention
Early Availability
Endpoint Security
Fun
GAIA
General
IPv6
OpenServer
Remote Access
Secure Platform
Security Management
Software Blades
Troubleshooting
Uncategorized
Virtual System
VMware
Log in
Entries RSS
Comments RSS
WordPress.org
Categories
Meta
There are different ways to configure BGP, in this example we use the WebUI for it.
First login and change the view to Advanced so that youre able to see all the menu
items in the WebUI.
Changing the Check Point GAIA WebUI to
Advanced View
Then choose BGP from Advanced Routing menu.
Choose BGP from Advanced Routing
Menu on Check Point GAIA WebUI
On the BGP menu, first check the configuration of the router ID. In our example we use
the real IP address of the Security Gateways external interface.
The next part is to change the Local System Identification.
Change_the BGP Local_System_Identification on Check Point
GAIA WebUI
As shown in the lab setup overview, our AS is 12345.
Save the change. Configuration page looks now like this.
BGP settings of Check Point GAIA WebUI
Now we will add a peer group which will contain our Cisco router as peer.
Add_a BGP Peer_Group on Check Point GAIA WebUI
Enter the peer AS numer. If it is equal to your own AS number, the page will show the
peer group type as Internal, otherwise as External.
Add a BGP Peer Group on Check Point GAIA WebUI
Then we enter the IP address of the Security Gateways external interface again as
Local Address.
And last we add the specific peer by clicking on add peer.
AS lock while adding BGP peer in Check Point GAIA
WebUI
Add BGP peer in Check Point GAIA WebUI
When you click on Show Advanced Settings youll see various options including
Logging and Trace Options. I recommend to turn them all on. The information can be
found in /var/log/routed.log and the output looks like this:
[Expert@firewall]# tail -f /var/log/routed.log
Nov 16 15:28:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345)
last checked 60 last recv'd 48
Nov 16 15:40:18 bgp_send: sending 19 bytes to 192.168.200.200 (Routing AS 12345)
Nov 16 15:40:18
Nov 16 15:40:18 BGP SEND 192.168.100.1+43878 -> 192.168.200.200+179
Nov 16 15:40:18 BGP SEND message type 4 (KeepAlive) length 19
Advanced Logging and Trace Options in Check Point GAIA WebUI
Overview of Peer Group configuration in Check Point GAIA WebUI
Close all configuration dialogs by clicking Save.
Advanced Routing -> BGP menu on Check Point GAIA WebUI
Now well have a look at the routing table of our Cisco router. Will we see the routes
from the Security Gateway?
router#show ip route
S* 0.0.0.0/0 [1/0] via 10.10.10.2
Nothing has changed here????
Lets have a look at the Security Gateway:
firewall> show route bgp
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
No learned routes here!
Checking the operating system routing table in expert mode:
[Expert@firewall]# ip route
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1
200.200.200.0/24 dev Mgmt proto kernel scope link src 200.200.200.200
default via 192.168.100.100 dev eth1 proto cprd
Nothing here, either. Lets check again in CLISH:
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 1117
B H 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 294
Here we see BGP routes learned from the router, but the routes are marked hidden.
Which means the routing process knows about them because he got the information
from the BGP peer, but is not passing this information along to the routing table of the
Security Gateway.
To solve the task of distributing routes via BGP, we have to configure some more
option in GAIA WebUI.
Select Route Redistribution from Advanced Routing menu.
Route Redistribution menu from
Check Point GAIA WebUI
In our example we want to redistribute the routes from the connected interfaces
through BGP, so select Add from Redistibute Interfaces.
Redistribute_Interfaces menu from Check PoinT GAIA WebUI
Then select to which routing process you want to distribute to.
Redistribute_Interfaces_Choose_Protocol on Check
Point GAIA WebUI
Then select which interface(s) you want to redistribute.
Redistribute Interfaces Choose Interface on Check
Point GAIA WebUI
Then enter a metric and click Save.
Redistribute All Interfaces on Check Point GAIA WebUI
From this point on you will redistribute your routes over BGP to the Cisco router.
Redistribute All Interfaces Summary on Check Point GAIA WebUI
Lets check with the router:
router#show ip route
S* 0.0.0.0/0 [1/0] via 10.10.10.2
B 200.200.200.0/24 [200/100] via 192.168.100.1, 00:00:31
At this point we achieved our goals, routes from the Security Gateway are distributed to
the router using BGP.
But what to do if we want to import routes from the router into the Security Gateway?
In this case we have to define Inbound Route Filters. Select the appropriate menu from
WebUI.
Inbound Route Filter Menu on
Then we need to define a BGP Policy for routes to import. Click on Add BGP Policy.
Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI
Define which routes to accept. In our case we accept all routes from peers in AS
12345.
Inbound Route Filters Add BGP Policy Detail on Check Point GAIA WebUI
The summary show you the new BGP policy and from that point on your Security
Gateway accepts routes send by BGP from the Cisco router.
The routing tables looks like this:
firewall> show route bgp
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 58
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 58
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 669
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 62
B 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 62
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 62
The last thing I want to show to you are some helpful options or buttons.
Under Advanced Routing -> Routing Options you will find trace options for routing.
Route Options on Check Point
GAIA WebUI
I suggest you turn them on increase the size for the trace files.
Route Options Trace Options on Check Point GAIA WebUI
Dont forget to apply the setting with the button on top of this page!
Last thing is the way to restart the routing daemon. The button can be found on the
bottom of the Route Options page.
Restart Routing Daemon on
Category: GAIA
November 18, 2012 at 3:32 pm 8 comments TobiasLachmann
I hope you liked this little How-To on BGP.
Tobias Lachmann
November 20, 2012 at 7:40 pm Reply
michael endrizzi says:
holy xmas batman. when do you get time to write this book on bgp routing? excellent.
November 29, 2012 at 8:17 pm Reply
Yuri says:
Good write up, may i suggest for site readability to put some of part under CUT ?
January 10, 2013 at 6:00 pm Reply
simon says:
trs bien ! as usual
February 24, 2013 at 2:09 pm Reply
David says:
Thank you Tobias this blog steered my project in the right direction
1 question if I may, did you have a problem with BGP having to reestablish during a
clusterXL failover?
August 10, 2013 at 10:04 pm Reply
Olivier says:
Hi,
I wonder why someone wants to use iBGP insted of OSPF for BGP redistribution?
What works best with CheckPoint GAiA and what needs to be known in a cluster (vrrp
or XL) setup?
Thank you, regards,
Xaby says:
How I can configure a iBGP with password in R76 GAIA ?
8 Responses
August 27, 2013 at 8:42 pm Reply
October 5, 2013 at 1:05 pm Reply
Nitin says:
Hi,
I have a R76 GAiA installed in a VSX cluster. BGP is running but I am not able to see a
command router bgp, do I need advanced routing license to enable these commands.
I am able to run BGP via commands like:
set as 65300
set bgp external remote-as 65105 peer x.x.x.x on
set bgp external remote as 65105 import-routemap test on
set routemap test id 10 on
set routemap test id 10 allow
set routemap test match protocol bgp.
This way I an able to get the routes but I am not able to control route restriction
between different neighbors within same as.
Nitin
October 6, 2013 at 11:31 am Reply
Tobias Lachmann says:
Dear Nittin,
I cant tell you for sure if a missing license for this feature will disable the CLI
commands.
However, you need to deploy a license to use dynamic routing etc.
Please see this link for details.
If you really want to use BGP, I advise you to install R77 or the latest available version
at the time.
Check Point has some issues when it comes to dynamic routing but is constantly
working on this.
Best regards,
Tobias Lachmann
Your email address will not be published. Required fields are marked *
Name *
Email *
Website
Leave a Comment
Comment
Send Comment
Proudly powered by WordPress. Design by WPlook

Configuring BGP Between Router and Security Gateway Running GAIA

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Configuring BGP Between Router and Security Gateway Running GAIA

Hochgeladen von

Copyright:

Verfügbare Formate

8/5/2014 Configuring BGP between Router and Security Gateway running GAIA

Das könnte Ihnen auch gefallen