Wednesday, March 13, 2019

Implementing BGP in Check Point R80, from the Command Line



There may be situations where you elect to run BGP on your Check Point enterprise edge firewall. This can be configured via Check Point’s WebUI. However, there may come a time where don’t have access to a readily available browser, but you still have console or SSH access to the firewall. This article will explain how to implement BGP from the Check Point command line (using CLISH commands), to peer with an ISP router (we’re using Cisco, in this instance).
Our Check Point edge firewall will peer with the router for ISP1. This will in turn peer the router for ISP2. The Check Point firewall will be configured Autonomous System (AS) 40152. The ISP1 Router will be configured with AS 10007, and the ISP2 router will be configured with AS 20008 as outlined in the diagram, below. It is assumed that all interfaces have been preconfigured.



The Interfaces on each network node are configured as follows:
Check_Point_Edge_Firewall eth0: 80.102.37.49/24
ISP1_Router G0/0: 80.102.37.50/24
ISP1_Router G0/1: 54.3.9.17/29
ISP2_Router G0/0: 54.3.9.18/29
ISP2_Lo1: 3.3.3.3/32


The first thing we will want to do on the Check Point firewall is verify what routes have been learned. We do this, by typing the command `show route`



As you can see from the command’s output, below, there is a static default route sending all traffic to the Check Point’s neighbor at 80.102..37.50. We will want to remove this route, eventually, but not right away.

Let’s configure BGP on the ISP1 Router, first.

Next, lets configure BGP on the ISP2 Router.

As you can see from the output above, a BGP neighborship has formed between the ISP1 router and the ISP2 router.
Now, let’s check the routes learned from BGP on the ISP 1 router, by typing `sh ip route bgp`.


As you can see, the ISP1 router has learned about the 3.3.3.3/32 network from its ISP2 neighbor at 54.3.9.18. Let’s see if we can ping 3.3.3.3.


As you can see, the ISP1 router has learned about the 3.3.3.3/32 network from ISP2 and can ping it, as well.

Now, let’s configure the Check Point edge firewall. First, let’s remove the static default route. (In a production environment, you would want to save this step until after you have confirmed that BGP is working). Removing the static default route is accomplished with the following command `set static-route default nexthop gateway address 80.102.37.50 off`
Let’s perform this on the edge firewall.


Now, let’s check the routes on the Check Point firewall again, by typing `show route`


As you can see, the static default route is now gone. Now, let’s add the following Check Point CLISH commands to configure BGP.
set as 40152
set bgp external remote-as 10007 on
set bgp external remote-as 10007 description IS
set bgp external remote-as 10007 local-address 80.102.37.49 on
set bgp external remote-as 10007 peer 80.102.37.50 on
set bgp external remote-as 10007 peer 80.102.37.50 log-state-transitions on
set bgp external remote-as 10007 peer 80.102.37.50 log-warnings on


Now, let’s verify that the BGP neighborship is up, by typing `show bgp peers` as below:


As you can see, the BGP session is established. Now, let’s verify if we’re seeing the BGP learned routes, by typing `show route`.


It seems as though we’re not seeing them here, since the route table only shows two connected routes. However, if we type `show route all` we’ll see the additional routes.


As you can see, the routes to 3.3.3.3/32 and 54.3.9.16/29 are there, however they are hidden. If we try to ping 3.3.3.3, as below, we are unable to. We’ll rectify this shortly.



To unhide the routes from the routing table, we must allow them to be imported, using a route map, from the following commands, below:
set bgp external remote-as 10007 import-routemap "ISP-bgp" preference 1 on
set routemap ISP-bgp id 1 on
set routemap ISP-bgp id 1 allow
set routemap ISP-bgp id 1 match as 10007 on
set routemap ISP-bgp id 1 match neighbor 80.102.37.50 on

Let’s add these commands:





Now, let’s verify that the BGP learned routes are no longer hidden from the routing table, by typing `show route`.



Now, let’s confirm that we can ping the loopback interface of the ISP2 router, by typing `ping 3.3.3.3` on the Check Point router.



As you can see, the 3.3.3.3/32 network is reachable from the Check Point edge firewall via BGP.
As always, you’ll want to save your configuration with the `save config` command.


If you need help setting up Check Point firewalls at your organization, contact sales@spikefishsolutions.com