This article provides a general action plan for allowing the Dynamic Protocols traffic to pass through Security Gateway.

For more details about Dynamic Routing protocols, refer to these Advanced Routing Administration Guides and to the relevant documents (RFC) available on the Internet:

After performing the necessary configuration steps in SmartDashboard, install the policy onto the relevant Security Gateways.

List of protocols:

1. Allowing OSPF
2. Allowing BGP
3. Allowing PIM
4. Allowing RIP (v1, v2)
5. Allowing IGRP

(1) Allowing OSPF

Related Solutions:

• sk32614 - Configuring SecurePlatform Pro for OSPF
• sk41311 - How to Configure OSPF on a IP Series Appliance
• sk36969 - How to configure OSPF on Security Gateway & UTM-1 Edge VTI environment
• sk32568 - How to increase OSPF adjacency membership on SecurePlatform Pro
• sk33013 - How to integrate RIM and OSPF on the SecurePlatform Pro VPN-1 Gateway
• sk42974 - How to manually add route on SecurePlatform to override OSPF route
• sk41393 - How to Troubleshoot OSPF Problems
• sk60860 - How to debug OSPF and GateD daemon on SecurePlatform Pro
• sk84520 - How to debug OSPF and RouteD daemon on Gaia
• sk55100 - How to configure and troubleshoot Dynamic Routing on VSX running on SecurePlatform Pro

OSPF rule would look like this - the Destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 (All OSPF Routers) and 224.0.0.6 (All Designated Routers).

1. Create a Host object that will represent 224.0.0.1 (All OSPF Hosts) and call it, for example 'ALLSYSTEMS.MCAST.NET'.
2. Create a Host object that will represent 224.0.0.5 (All OSPF Routers) and call it, for example 'OSPF-ALL.MCAST.NET'.
3. Create a Host object that will represent 224.0.0.6 (All Designated Routers) and call it, for example 'OSPF-DSIG.MCAST.NET'.

(2) Allowing BGP

Related Solutions:

• sk32615 - Configuring SecurePlatform Pro for BGP
• sk40689 - How to enable TCP MD5 Authentication for BGP Routing
• sk60861 - How to debug BGP and GateD daemon on SecurePlatform Pro
• sk55100 - How to configure and troubleshoot Dynamic Routing on VSX running on SecurePlatform Pro

BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:

(3) Allowing PIM

Related Solutions:

• sk40632 - Multicast Routing Protocol FAQ
• sk32702 - Configuring PIM and IGMP Multicast Protocols
• sk38824 - Staging a very simple IP Multicast (PIM-SSM) lab
• sk62020 - How to configure Protocol Independent Multicast - Sparse-Mode (PIM-SM) on VSX
• sk55100 - How to configure and troubleshoot Dynamic Routing on VSX running on SecurePlatform Pro

To allow Sparse Mode PIM Traffic or Dense Mode PIM Traffic:

1. Create a Host object that will represent 224.0.0.13 (PIM v2) and call it, for example 'PIM.MCAST.NET'.
2. Create a custom service in SmartDashboard → tab 'Services' → '?? Other' → right mouse click → 'New Other...':
   
   • under 'Name:' type, for example 'PIM_service'
   • under 'IP Protocol:' type 103 (Note: this is the number assigned to PIM protocol)

Then create the following rule at the very top of the rulebase:

(4) Allowing RIP (v1, v2)

Related Solutions:

• sk32024 - Configuring SecurePlatform Pro for Routing Information Protocol
• sk55100 - How to configure and troubleshoot Dynamic Routing on VSX running on SecurePlatform Pro

(4-A) RIP version 1

RIPv1 runs over UDP port 520. It sends and receives all messages on this port. All messages are sent to the local broadcast address. To enable RIPv1, add a rule to allow all Security Gateway's neighbors to send messages to UDP port 520 on the local broadcast network.

(4-B) RIP version 2

RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport - 224.0.0.9 (RIP v2). To enable RIPv2 in multicast mode, create a Host object that will represent 224.0.0.9 and call it, for example 'RIP2-ROUTERS.MCAST.NET'.

(5) Allowing IGRP

IGRP runs on top of IP - IGRP has protocol number 9 assigned to it. Define a group of neighbor routers that participate in IGRP routing, and allow the IGRP traffic on the relevant Security Gateways: