BGP Behavior During ClusterXL Failover

When Border Gateway Protocol (BGP) is configured on a Check Point cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., the cluster members establish the BGP session using the Cluster Virtual IP (VIP) addresses on the cluster interfaces. The Active and Standby cluster members learn, import, and synchronize BGP routes.

During a cluster failover, the BGP session drops when the Standby cluster member Security Gateway that is part of a cluster. takes over the Cluster VIP addresses. As described in RFC 4271, this triggers the deletion of all BGP routes learned from a BGP peer, from both the Active and Standby cluster members. The new Active cluster member re-learns the BGP routes after it re-establishes the BGP sessions.

A service interruption occurs because BGP negotiations usually take 10-60 seconds to complete.

Required Configuration

To prevent BGP interruption during a cluster failover, you must enable the Graceful Restart in the BGP configuration on each cluster member and on the BGP peers.

Graceful Restart is a mechanism which keeps deleted BGP routes in the routing table as kernel routes until a timer expires (default is 360 seconds). For more information about Graceful Restart, see:

• Configuring BGP Miscellaneous Settings in Gaia Portal

• Configuring BGP Remote Peers in Gaia Clish

To enable Graceful Restart, enter these Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell). commands on each cluster member:

1. set bgp external remote-as <AS Number> peer <IP Address> graceful-restart on

2. save config

Important: You must create a matching configuration on the BGP peers of the Check Point cluster. Check Point strongly recommends to fully test this configuration to make sure it works properly. The Graceful Restart process is initiated for all BGP peers during a cluster failover and concludes upon receiving an end-of-RIB (Routing Information Base) from each BGP peer. To ensure proper configuration of Graceful Restart, it is essential to enable it for all BGP peers and also confirm that the Graceful Restart Helper is configured on all remote BGP peers. Incomplete configuration, where the Graceful Restart Helper is set up on some but not all BGP peers, will result in the Graceful Restart process not functioning as intended, potentially leading to BGP service outages.

Additional Configuration

You can use Continuous Built-In Test (cBIT) detection with the Graceful Restart. See RFC-5882 > section-3.1.

If you use IP Reachability Detection, then you must enable the BGP control plane detection failure.

For Graceful Restart to work with BFD without an outage, the Graceful Restart Helper must have the "cBit" detection and the cBit value must be set to 0 (depends on the control plane) by the cluster.

Configure the BGP peers to use Bidirectional Forwarding Detection (BFD) with cBIT detection:

The Standby cluster member keeps learned routes in its routing table. This way, there is no traffic interruption when the BGP session is re-established.

To configure the cBIT Detection, enter these Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish commands on each cluster member:

1. set bgp external remote-as <AS Number> peer <IP Address> ip-reachability-detection on

2. set bgp external remote-as <AS Number> peer <IP Address> ip-reachability-detection check-control-plane-failure on

3. save config

Important - You must create a matching configuration on the BGP peers of the Check Point cluster. Check Point strongly recommends to fully test this configuration to make sure it works properly. Some BGP peer routers can support BFD but not include cBIT detection in BGP. Refer to the relevant vendor's documentation.