The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Configuring SecurePlatform Pro for BGP
Quantum Security Gateways, ClusterXL
R71, R75, R76, R77, R77.10, R77.20, R77.30
Platform / Model
Important: Please ensure that you are familiar with routing protocols before using this quick guide.
The following procedure provides step by step guidance on how to configure BGP dynamic routing on SecurePlatform Pro:
Connect to command line on Security Gateway / each cluster member.
Log in to Expert mode.
Enter Router Mode by running the command router or cligated. Note: You can display all the available commands by typing <?> and pressing the "Enter" key.
Enter Privileged Execution mode by running the command enable. If this mode is password protected, you will be prompted for a password.
You can type show run to display the current configuration.
Enter Global Configuration Mode by running the command config terminal or config t.
RIP and OSPF are Internal Gateway Protocols. BGP is an External Gateway Protocol. The entire routing domain is divided into Autonomous Systems (AS). Each AS receives an AS Number (2 bytes). When BGP is configured, you must specify to which AS the router belongs.
Note: You can configure BGP and other routing protocols on the same interface, e.g. BGP and OSPF.
At the config prompt (config)#, enable BGP by running the command router bgp <AS Number>. You are now in Router Configuration mode. You must now configure the BGP protocol.
Note: The prompt changes to (config-[protocol_name])# in Router Configuration mode. When in this mode, the order of the commands run is not important. Changes are only performed on exiting the mode.
To exit the Router Configuration mode and return one mode back, i.e. to the Global Configuration mode, run the exit command. To exit the Router Configuration mode and return to the Main mode, run the end command.
Specify which networks will be advertised to other BGP peers, by using network <ipv4_address> mask <netmask>.
For example: network 172.23.11.0 mask 255.255.255.0
Note: There is an optional parameter: route-map. This parameter may be used for fine tuning and filtering. The syntax is :network <ipv4_address> mask <netmask> route-map <route-map name>.
BGP operates in two modes:
EBGP (External BGP)
IBGP (Internal BGP)
In general, BGP operates in the EBGP mode, connecting routers in different ASs. Sometimes the administrator may define routers, located in the same AS, as neighbors, in order to simplify and unify topology and communication.
Neighbors are defined by running the neighbor command.
The syntax is either: neighbor <ipv4_address> remote-as <AS Number> or neighbor <ipv4_address> local-as <AS Number> (Note: The local-as command syntax is valid only for external peers.) The following example causes BGP to represent itself to the peer 22.214.171.124 as being in AS 100.
network <ipv4_address> mask <netmask> route-map <route-map name>. (In this syntax, direction is always out.)
Enter <?> to see optional commands (e.g. redistribute). The redistribute command inserts external routes into a current instance of the BGP protocol. You may want to redistribute direct or kernel routes into the BGP advertisements. The command syntax is: redistribute <protocol>
redistribute direct: Redistribute routes defined from sysconfig or SecurePlatform shell.
redistribute kernel: Redistribute routes defined by OS according to interface IPs.
Exit the Router Configuration mode and return one mode back, i.e. to the Global Configuration mode, by running the exit command.
After these values are entered, exit Router Configuration mode and then exit Global Configuration mode.
Once you return to the Privileged Execution mode, if you want these values to be saved through reboot or different gated sessions, you must store all the applied changes. Do so by running the command write memory.