Today we’ll have a look at advanced routing and how we can exchange routing information using the BGP protocol between a Check Point Security Gateway running GAIA and a Cisco router.
It is common practice to use Internal Routing Protocols (IGPs) like ISIS or OSPF for carrying your infrastructure addresses and Border Gateway Protocol (BGP) for carrying Internet prefixes.
I found a very good presentation from Philip Smith who works for Cisco and explains BGP best practices in detail.
We assume that we have the following setup: a router, connected to the Internet on one hand and to a Security Gateway on the other hand. The Security Gateway should tell the router which network it protects using BGP.
 Lab Setup for connecting a Check Point Security Gateway to a router using BGP
In this setup we have the following routing information on the Security Gateway:
firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 178
C 127.0.0.0/8 is directly connected, lo
C 192.168.100.0/24 is directly connected, eth1
C 200.200.200.0/24 is directly connected, Mgmt
And this is the routing table for the router:
router#sho ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
Note that the router is using a loopback IP address for establishing the BGP sessions. See the BGP best practices presentation referenced above for detailed explanation about this.
Now we configure our (Cisco) Router for an internal BGP (iBGP) session.
interface Loopback0
ip address 192.168.200.200 255.255.255.255
!
!
interface GigabitEthernet0/0
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.100.100 255.255.255.0
duplex auto
speed auto
!
router bgp 12345
bgp router-id 192.168.200.200
bgp log-neighbor-changes
neighbor BGP_TEST peer-group
neighbor BGP_TEST remote-as 12345
neighbor BGP_TEST description iBGP Session between Core and Security Gateway
neighbor BGP_TEST update-source Loopback0
neighbor 192.168.100.1 peer-group BGP_TEST
!
address-family ipv4
redistribute connected
redistribute static
neighbor BGP_TEST soft-reconfiguration inbound
neighbor 192.168.100.1 activate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 10.10.10.2
At this point the router tries to establish a BGP session with our Security Gateway and tells it about his own connected and static routes.
But the Security Gateway isn’t answering the BGP requests so let’s move on to the configuration of GAIA.
There are different ways to configure BGP, in this example we use the WebUI for it.
First login and change the view to Advanced so that you’re able to see all the menu items in the WebUI.
 Changing the Check Point GAIA WebUI to Advanced View
Then choose BGP from Advanced Routing menu.
 Choose BGP from Advanced Routing Menu on Check Point GAIA WebUI
On the BGP menu, first check the configuration of the router ID. In our example we use the real IP address of the Security Gateways external interface.
The next part is to change the Local System Identification.
 Change_the BGP Local_System_Identification on Check Point GAIA WebUI
As shown in the lab setup overview, our AS is 12345.
Save the change. Configuration page looks now like this.
 BGP settings of Check Point GAIA WebUI
Now we will add a peer group which will contain our Cisco router as peer. Add_a BGP Peer_Group on Check Point GAIA WebUI
Enter the peer AS numer. If it is equal to your own AS number, the page will show the peer group type as Internal, otherwise as External.
 Add a BGP Peer Group on Check Point GAIA WebUI
Then we enter the IP address of the Security Gateways external interface again as Local Address.
And last we add the specific peer by clicking on add peer.
 AS lock while adding BGP peer in Check Point GAIA WebUI
 Add BGP peer in Check Point GAIA WebUI
When you click on Show Advanced Settings you’ll see various options including Logging and Trace Options. I recommend to turn them all on. The information can be found in /var/log/routed.log and the output looks like this:
[Expert@firewall]# tail -f /var/log/routed.log
Nov 16 15:28:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 48
Nov 16 15:29:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 1
Nov 16 15:30:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:31:07 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 6
Nov 16 15:40:18 bgp_traffic_timeout: peer 192.168.200.200 (Routing AS 12345) last checked 60 last recv'd 60
Nov 16 15:40:18 bgp_send: sending 19 bytes to 192.168.200.200 (Routing AS 12345)
Nov 16 15:40:18
Nov 16 15:40:18 BGP SEND 192.168.100.1+43878 -> 192.168.200.200+179
Nov 16 15:40:18 BGP SEND message type 4 (KeepAlive) length 19
 Advanced Logging and Trace Options in Check Point GAIA WebUI
 Overview of Peer Group configuration in Check Point GAIA WebUI
Close all configuration dialogs by clicking Save.
BGP menu on Check Point GAIA WebUI" alt="Advanced Routing -> BGP menu on Check Point GAIA WebUI" src="http://blog.lachmann.org/wp-content/uploads/2012/11/advanced_routing_bgp.jpg" width=491 height=522> Advanced Routing -> BGP menu on Check Point GAIA WebUI
Now we’ll have a look at the routing table of our Cisco router. Will we see the routes from the Security Gateway?
router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
Nothing has changed here????
Let’s have a look at the Security Gateway:
firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
No learned routes here!
Checking the operating system routing table in expert mode:
[Expert@firewall]# ip route
192.168.100.0/24 dev eth1 proto kernel scope link src 192.168.100.1
200.200.200.0/24 dev Mgmt proto kernel scope link src 200.200.200.200
default via 192.168.100.100 dev eth1 proto cprd
Nothing here, either. Let’s check again in CLISH:
firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 1117
B H 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 127.0.0.0/8 is directly connected, lo
B H 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 294
C 192.168.100.0/24 is directly connected, eth1
B H 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 294
C 200.200.200.0/24 is directly connected, Mgmt
Here we see BGP routes learned from the router, but the routes are marked “hidden”. Which means the routing process knows about them because he got the information from the BGP peer, but is not passing this information along to the routing table of the Security Gateway.
To solve the task of distributing routes via BGP, we have to configure some more option in GAIA WebUI.
Select Route Redistribution from Advanced Routing menu.
 Route Redistribution menu from Check Point GAIA WebUI
In our example we want to redistribute the routes from the connected interfaces through BGP, so select Add from Redistibute Interfaces.
 Redistribute_Interfaces menu from Check PoinT GAIA WebUI
Then select to which routing process you want to distribute to.
 Redistribute_Interfaces_Choose_Protocol on Check Point GAIA WebUI
Then select which interface(s) you want to redistribute.
 Redistribute Interfaces Choose Interface on Check Point GAIA WebUI
Then enter a metric and click Save.
 Redistribute All Interfaces on Check Point GAIA WebUI
From this point on you will redistribute your routes over BGP to the Cisco router.
 Redistribute All Interfaces Summary on Check Point GAIA WebUI
Let’s check with the router:
router#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.10.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.2
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.0/24 is directly connected, GigabitEthernet0/0
L 10.10.10.1/32 is directly connected, GigabitEthernet0/0
192.168.100.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.100.0/24 is directly connected, GigabitEthernet0/1
L 192.168.100.100/32 is directly connected, GigabitEthernet0/1
192.168.200.0/32 is subnetted, 1 subnets
C 192.168.200.200 is directly connected, Loopback0
B 200.200.200.0/24 [200/100] via 192.168.100.1, 00:00:31
At this point we achieved our goals, routes from the Security Gateway are distributed to the router using BGP.
But what to do if we want to import routes from the router into the Security Gateway?
In this case we have to define Inbound Route Filters. Select the appropriate menu from WebUI.
 Inbound Route Filter Menu on Check Point GAIA WebUI
Then we need to define a BGP Policy for routes to import. Click on Add BGP Policy.
 Inbound Route Filters Add BGP Policy on Check Point GAIA WebUI
Define which routes to accept. In our case we accept all routes from peers in AS 12345.
 Inbound Route Filters – Add BGP Policy – Detail on Check Point GAIA WebUI
The summary show you the new BGP policy and from that point on your Security Gateway accepts routes send by BGP from the Cisco router.
The routing tables looks like this:
firewall> show route bgp
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA)
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 58
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 58
firewall> show route all
Codes: C - Connected, S - Static, R - RIP, B - BGP,
O - OSPF IntraArea (IA - InterArea, E - External, N - NSSA),
A - Aggregate, K - Kernel Remnant, H - Hidden, P - Suppressed
S 0.0.0.0/0 via 192.168.100.100, eth1, cost 0, age 669
B 10.10.10.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 127.0.0.0/8 is directly connected, lo
B 192.168.100.0/24 via 192.168.100.100, eth1, cost 0, age 62
C 192.168.100.0/24 is directly connected, eth1
B 192.168.200.200/32 via 192.168.100.100, eth1, cost 0, age 62
C 200.200.200.0/24 is directly connected, Mgmt
The last thing I want to show to you are some helpful options or buttons.
Under Advanced Routing -> Routing Options you will find trace options for routing.
 Route Options on Check Point GAIA WebUI
I suggest you turn them on increase the size for the trace files.
 Route Options – Trace Options on Check Point GAIA WebUI
Don’t forget to apply the setting with the button on top of this page!
Last thing is the way to restart the routing daemon. The button can be found on the bottom of the Route Options page.
 Restart Routing Daemon on Check Point GAIA WebUI |
IP卡
狗仔卡
发表于 2012-11-19 08:19:14
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡