How to allow Dynamic Routing protocols traffic (OSPF, BGP, PIM, RIP, IGRP) through Check Point Security Gateway

Support Center > Search Results > SecureKnowledge Details

Solution ID	sk39960
Product	Security Gateway, Cluster - 3rd party, ClusterXL, VSX
Version	All
OS	SecurePlatform, SecurePlatform 2.6, Gaia, IPSO 6.2
Platform / Model	All
Date Created	14-Apr-2009
Last Modified	05-Sep-2019

Solution

This article provides a general action plan for allowing the Dynamic Protocols traffic to pass through Security Gateway.

For more details about Dynamic Routing protocols, refer to these Advanced Routing Administration Guides and to the relevant documents (RFC) available on the Internet:

OS	Guides
SecurePlatform	R70 SecurePlatform / SecurePlatform Pro Administration Guide R70 SecurePlatform Pro & Advanced Routing Command Line Interface Administration Guide R71 Advanced Routing Suite CLI Reference Guide R75 Advanced Routing Suite CLI Reference Guide R75.20 Advanced Routing Suite CLI Reference Guide R75.40 Advanced Routing Suite CLI Reference Guide R75.40VS SecurePlatform Advanced Routing Suite CLI Reference Guide R76 SecurePlatform Advanced Routing Suite CLI Reference Guide R77 SecurePlatform Advanced Routing Suite CLI Reference Guide
Gaia	R75.40 Gaia Advanced Routing Administration Guide R75.40VS Gaia Advanced Routing Administration Guide R76 Gaia Advanced Routing Administration Guide R77 Gaia Advanced Routing Administration Guide R80.10 Gaia Advanced Routing Administration Guide R80.20 Gaia Advanced Routing Administration Guide R80.30 Gaia Advanced Routing Administration Guide

After performing the necessary configuration steps in SmartDashboard, install the policy onto the relevant Security Gateways.

List of protocols:

Allowing OSPF
Allowing BGP
Allowing PIM
Allowing RIP (v1, v2)
Allowing IGRP

(1) Allowing OSPF

Related Solutions:

OSPF rule would look like this - the Destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 (All OSPF Routers) and 224.0.0.6 (All Designated Routers).

Create a Host object that will represent 224.0.0.1 (All OSPF Hosts) and call it, for example 'ALLSYSTEMS.MCAST.NET'.
Create a Host object that will represent 224.0.0.5 (All OSPF Routers) and call it, for example 'OSPF-ALL.MCAST.NET'.
Create a Host object that will represent 224.0.0.6 (All Designated Routers) and call it, for example 'OSPF-DSIG.MCAST.NET'.

Source	Destination	Service	Action	Install On
OSPF Routers Relevant Security Gateways	'`ALLSYSTEMS.MCAST.NET`' (224.0.0.1) '`OSPF-ALL.MCAST.NET`' (224.0.0.5) '`OSPF-DSIG.MCAST.NET`' (224.0.0.6) OSPF Routers Relevant Security Gateways	`ospf` `igmp`	`Accept`	Relevant Security Gateways

(2) Allowing BGP

Related Solutions:

BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:

Source	Destination	Service	Action	Install On
BGP Peers Relevant Security Gateways	BGP Peers Relevant Security Gateways	`bgp`	`Accept`	Relevant Security Gateways

(3) Allowing PIM

Related Solutions:

To allow Sparse Mode PIM Traffic or Dense Mode PIM Traffic:

Create a Host object that will represent 224.0.0.13 (PIM v2) and call it, for example 'PIM.MCAST.NET'.
Create a custom service in SmartDashboard → tab 'Services' → '?? Other' → right mouse click → 'New Other...':
- under 'Name:' type, for example 'PIM_service'
- under 'IP Protocol:' type 103 (Note: this is the number assigned to PIM protocol)

Then create the following rule at the very top of the rulebase:

Source	Destination	Service	Action	Install On
Relevant Security Gateways	'`PIM.MCAST.NET`' (224.0.0.13)	`PIM_service` `igmp`	`Accept`	Relevant Security Gateways

(4) Allowing RIP (v1, v2)

Related Solutions:

(4-A) RIP version 1

RIPv1 runs over UDP port 520. It sends and receives all messages on this port. All messages are sent to the local broadcast address. To enable RIPv1, add a rule to allow all Security Gateway's neighbors to send messages to UDP port 520 on the local broadcast network.

Source	Destination	Service	Action	Install On
Neighbor_1	Network_1_Broadcast_Address	`rip`	`Accept`	Relevant Security Gateways
Neighbor_2	Network_2_Broadcast_Address	`rip`	`Accept`	Relevant Security Gateways
Neighbor_3	Network_3_Broadcast_Address	`rip`	`Accept`	Relevant Security Gateways

(4-B) RIP version 2

RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport - 224.0.0.9 (RIP v2). To enable RIPv2 in multicast mode, create a Host object that will represent 224.0.0.9 and call it, for example 'RIP2-ROUTERS.MCAST.NET'.

Source	Destination	Service	Action	Install On
Neighbors	'`RIP2-ROUTERS.MCAST.NET`' (224.0.0.9)	`rip`	`Accept`	Relevant Security Gateways

(5) Allowing IGRP

IGRP runs on top of IP - IGRP has protocol number 9 assigned to it. Define a group of neighbor routers that participate in IGRP routing, and allow the IGRP traffic on the relevant Security Gateways:

Source	Destination	Service	Action	Install On
Neighbors	Relevant Security Gateways	`igrp`	`Accept`	Relevant Security Gateways

Imported from Nokia support database

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating