By John Ejaife
There may be situations where you elect to run BGP on your
Check Point enterprise edge firewall. This can be configured via Check Point’s
WebUI. However, there may come a time where don’t have access to a readily
available browser, but you still have console or SSH access to the firewall.
This article will explain how to implement BGP from the Check Point command
line (using CLISH commands), to peer with an ISP router (we’re using Cisco, in
this instance).
Our Check Point edge firewall will peer with the router for
ISP1. This will in turn peer the router for ISP2. The Check Point firewall will
be configured Autonomous System (AS) 40152. The ISP1 Router will be configured
with AS 10007, and the ISP2 router will be configured with AS 20008 as outlined
in the diagram, below. It is assumed that all interfaces have been
preconfigured.
The Interfaces on each network node are configured as
follows:
Check_Point_Edge_Firewall
eth0: 80.102.37.49/24
ISP1_Router
G0/0: 80.102.37.50/24
ISP1_Router
G0/1: 54.3.9.17/29
ISP2_Router
G0/0: 54.3.9.18/29
ISP2_Lo1: 3.3.3.3/32
The first thing we will want to do on the Check Point
firewall is verify what routes have been learned. We do this, by typing the
command `show route`
As you can see from the command’s output, below, there is a
static default route sending all traffic to the Check Point’s neighbor at
80.102..37.50. We will want to remove this route, eventually, but not right
away.
Let’s configure BGP on the ISP1 Router, first.
Next, lets configure BGP on the ISP2 Router.
As you can see from the output above, a BGP neighborship has
formed between the ISP1 router and the ISP2 router.
Now, let’s check the routes learned from BGP on the ISP 1
router, by typing `sh ip route bgp`.
As you can see, the ISP1 router has learned about the
3.3.3.3/32 network from its ISP2 neighbor at 54.3.9.18. Let’s see if we can
ping 3.3.3.3.
As you can see, the ISP1 router has learned about the
3.3.3.3/32 network from ISP2 and can ping it, as well.
Now, let’s configure the Check Point edge firewall. First,
let’s remove the static default route. (In a production environment, you would
want to save this step until after you have confirmed that BGP is working).
Removing the static default route is accomplished with the following command `set
static-route default nexthop gateway address 80.102.37.50 off`
Let’s perform this on the edge firewall.
Now, let’s check the routes on the Check Point firewall
again, by typing `show route`
As you can see, the static default route is now gone. Now,
let’s add the following Check Point CLISH commands to configure BGP.
set as 40152
set bgp external remote-as 10007 on
set bgp external remote-as 10007 description IS
set bgp external remote-as 10007 local-address
80.102.37.49 on
set bgp external remote-as 10007 peer 80.102.37.50
on
set bgp external remote-as 10007 peer 80.102.37.50
log-state-transitions on
set bgp external remote-as 10007 peer 80.102.37.50
log-warnings on
Now, let’s verify that the BGP neighborship is up, by typing
`show bgp peers` as below:
As you can see, the BGP session is established. Now, let’s
verify if we’re seeing the BGP learned routes, by typing `show route`.
It seems as though we’re not seeing them here, since the
route table only shows two connected routes. However, if we type `show route
all` we’ll see the additional routes.
As you can see, the routes to 3.3.3.3/32 and 54.3.9.16/29
are there, however they are hidden. If we try to ping 3.3.3.3, as below, we are
unable to. We’ll rectify this shortly.
To unhide the routes from the routing table, we must allow
them to be imported, using a route map, from the following commands, below:
set bgp external remote-as 10007 import-routemap
"ISP-bgp" preference 1 on
set routemap ISP-bgp id 1 on
set routemap ISP-bgp id 1 allow
set routemap ISP-bgp id 1 match as 10007 on
set routemap ISP-bgp id 1 match neighbor
80.102.37.50 on
Let’s add these commands:
Now, let’s verify that the BGP learned routes are no longer
hidden from the routing table, by typing `show route`.
Now, let’s confirm that we can ping the loopback interface
of the ISP2 router, by typing `ping 3.3.3.3` on the Check Point router.
As you can see, the 3.3.3.3/32 network is reachable from the
Check Point edge firewall via BGP.
As always, you’ll want to save your configuration with the
`save config` command.
If you need help setting up Check Point firewalls at your
organization, contact sales@spikefishsolutions.com