Support Center > My Favorites > SecureKnowledge Details
How to allow Dynamic Routing protocols traffic (OSPF, BGP, PIM, RIP, IGRP) through Check Point Security Gateway
Solution

This article provides a general action plan for allowing the Dynamic Protocols traffic to pass through Security Gateway.

For more details about Dynamic Routing protocols, refer to these Advanced Routing Administration Guides and to the relevant documents (RFC) available on the Internet:

OS Guides
SecurePlatform
Gaia

 

After performing the necessary configuration steps in SmartDashboard, install the policy onto the relevant Security Gateways.

List of protocols:

  1. Allowing OSPF
  2. Allowing BGP
  3. Allowing PIM
  4. Allowing RIP (v1, v2)
  5. Allowing IGRP

 

(1) Allowing OSPF

Related Solutions:

 

OSPF rule would look like this - the Destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 (All OSPF Routers) and 224.0.0.6 (All Designated Routers).

  1. Create a Host object that will represent 224.0.0.1 (All OSPF Hosts) and call it, for example 'ALLSYSTEMS.MCAST.NET'.
  2. Create a Host object that will represent 224.0.0.5 (All OSPF Routers) and call it, for example 'OSPF-ALL.MCAST.NET'.
  3. Create a Host object that will represent 224.0.0.6 (All Designated Routers) and call it, for example 'OSPF-DSIG.MCAST.NET'.
Source Destination Service Action Install On
OSPF Routers

Relevant Security Gateways
'ALLSYSTEMS.MCAST.NET' (224.0.0.1)

'OSPF-ALL.MCAST.NET' (224.0.0.5)

'OSPF-DSIG.MCAST.NET' (224.0.0.6)

OSPF Routers

Relevant Security Gateways
ospf

igmp
Accept Relevant Security Gateways

 

(2) Allowing BGP

Related Solutions:

BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:

Source Destination Service Action Install On
BGP Peers

Relevant Security Gateways
BGP Peers

Relevant Security Gateways
bgp Accept Relevant Security Gateways

 

(3) Allowing PIM

Related Solutions:

 

To allow Sparse Mode PIM Traffic or Dense Mode PIM Traffic:

  1. Create a Host object that will represent 224.0.0.13 (PIM v2) and call it, for example 'PIM.MCAST.NET'.
  2. Create a custom service in SmartDashboard → tab 'Services' → '?? Other' → right mouse click → 'New Other...':
    • under 'Name:' type, for example 'PIM_service'
    • under 'IP Protocol:' type 103 (Note: this is the number assigned to PIM protocol)

Then create the following rule at the very top of the rulebase:

Source Destination Service Action Install On
Relevant Security Gateways

'PIM.MCAST.NET' (224.0.0.13)

PIM_service

igmp
Accept Relevant Security Gateways

 

(4) Allowing RIP (v1, v2)

Related Solutions:

 

(4-A) RIP version 1

RIPv1 runs over UDP port 520. It sends and receives all messages on this port. All messages are sent to the local broadcast address. To enable RIPv1, add a rule to allow all Security Gateway's neighbors to send messages to UDP port 520 on the local broadcast network.

Source Destination Service Action Install On
Neighbor_1 Network_1_Broadcast_Address rip Accept Relevant Security Gateways
Neighbor_2 Network_2_Broadcast_Address rip Accept Relevant Security Gateways
Neighbor_3 Network_3_Broadcast_Address rip Accept Relevant Security Gateways

 

(4-B) RIP version 2

RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport - 224.0.0.9 (RIP v2). To enable RIPv2 in multicast mode, create a Host object that will represent 224.0.0.9 and call it, for example 'RIP2-ROUTERS.MCAST.NET'.

Source Destination Service Action Install On
Neighbors 'RIP2-ROUTERS.MCAST.NET' (224.0.0.9) rip Accept Relevant Security Gateways

 

(5) Allowing IGRP

IGRP runs on top of IP - IGRP has protocol number 9 assigned to it. Define a group of neighbor routers that participate in IGRP routing, and allow the IGRP traffic on the relevant Security Gateways:

Source Destination Service Action Install On
Neighbors Relevant Security Gateways igrp Accept Relevant Security Gateways
Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment