Configuring BGP Remote Peers in Gaia Clish

GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. supports IPv4 and IPv6 addresses for BGP peers.

Use these commands to configure BGP peers.

Syntax

set bgp external remote-as <Number of Autonomous System> peer <IP Address>

      {off | on}

      accept-med {off | on}

      accept-routes {all | none}

      allowas-in-count {<0-10> | default}

      as-override {off | on}

      authtype {none | md5 secret <Secret>}

      capability {default | ipv4-unicast | ipv6-unicast} {off | on}

      graceful-restart-helper {off | on}

      graceful-restart-helper-stalepath-time <Number of Seconds>

      holdtime {<6-65535> | default}

      ignore-first-ashop {off | on}

      ip-reachability-detection

            check-control-plane-failure {off | on}

            multihop {off | on}

            {off | on}

      keepalive {<2-21845> | default}

      log-state-transitions {off | on}

      log-warnings {off | on}

      med-out {<0-4294967294> | default}

      multihop {off | on}

      no-aggregator-id {off | on}

      outgoing-interface <Name of Interface> {off | on}

      passive-tcp {off | on}

      peer-local-as

            dual peering {off | on}

            inbound-peer-local {off | on}

            outbound-local {off | on}

      peer-local-as as {{<1-4294967295> | <0.1-65535.65535>} on | off}

      removeprivateas {off | on}

      route-refresh {off | on}

      send-keepalives {off | on}

      send-route-refresh {request | route-update} {ipv4 | ipv6 | all} [unicast]

      suppress-default-originate {off | on}

      throttle-count {<0-65535> | off}

      trace bgp_traceoption {off | on}

      ttl {<1-255> | default}

Parameters

Parameter

Description

IP Address {off | on}

A specified peer IP address for the group.

med-out {<0-4294967294> | default}

The Multi-Exit Discriminator (MED) metric used as the primary metric on all routes sent to the specified peer address.

This metric overrides the default metric on a metric specified by the redistribute policy.

External peers use MED values to know which of the available entry points into an autonomous system is preferred.

A lower MED value is preferred over a higher MED value.

Range: 0-4294967294

Default: 4294967294

outgoing-interface <Name of Interface> {off | on}

Applies only to IPv6 peer with local address FE80:

All peer interfaces have a local address and a global address.

All the peer interfaces can have the same local address, which starts with FE80:.

To use the local address, you must enter the outgoing interface for the local address.

accept-med {off | on}

Accept MED from the specified peer address.

If you do not set this option, the MED is stripped from the advertisement before the update is added to the routing table.

Default: off

multihop {off | on}

Enable multihop connections with external BGP (eBGP) peers that are not directly connected.

By default, external BGP peers are expected to be directly connected.

You can configure the multihop session in the Time to Live (TTL) parameter, that is, the number of hops to the eBGP peer.

This option can also be used to set up peers for eBGP load balancing.

Default: off
peer-local-as as {{<1-4294967295> | <0.1-65535.65535>} on | off}

Configures the connection to a remote peer with a Peer Local ASN, on a per-peer basis.

The Peer Local ASN replaces the Local ASN in the BGP session.

Range: 1 - 4294967295, or 0.1 - 65535.65535

Default: none

peer-local-as {inbound-peer-local | outbound-local | dual peering} {off | on}

Configures a peer-specific Local AS number different to the system-wide Local AS number.

  • "inbound-peer-local" - Prepend Peer Local AS on inbound updates from peer. Default: on.

  • outbound-local" - Prepend Local AS on outbound updates to peer. Default: on.

  • "dual-peering" - Allow peering from Local AS and Peer Local AS. Default: off.

as-override {off | on}

As a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session., to prevent loops in BGP, routers examine the AS number in the AS Path.

If a router sees its own AS number in the AS Path of the BGP packet, it drops the packet.

This feature lets the router at the sending end override the peer's AS number with the router's AS number in the outbound AS path.

This helps multiple sites in the same AS accept the routes.

If the Peer Local AS feature is enabled, the router uses the configured Peer Local AS to override the remote peer's AS number.

Default: off

allow-as-in-count {0-10 | default}

This feature lets the router at the receiving end override the peer's AS number with the router's AS number in the inbound AS path.

This is an inbound property whereas as-override is an outbound property.

Range: 0-10

Default: 0

ttl {<1-255> | default}

Use the TTL (Time to Live) parameter to limit the number of hops over which the External BGP (eBGP) multihop session is created.

You can configure the TTL only if eBGP multihop is enabled.

When multihop is disabled the default TTL is 1.

Range: 1-255

Default: 64

no-aggregator-id {off | on}

The router's aggregate attribute as zero (rather than the router ID value).

This option prevents the creation of aggregate routes with different AS paths by different routers in an AS.

Default: off

holdtime {<6-65535> | default}

The BGP holdtime interval, in seconds, during the negotiation of a connection with the specified peer.

If the BGP speaker does not receive a keepalive update or notification message from its peer within the period specified in the holdtime field of the BGP open message, the BGP connection is closed.

Range: 6-65535

Default: 180

keepalive {<2-21945> | default}

The keepalive option is an alternative way to enter a holdtime value in seconds during the negotiation of a connection with the specified peer.

You can use the keepalive interval instead of the holdtime interval.

You can also use both intervals, but the holdtime value must be 3 times the keepalive interval value.

Range: 2-21945

Default: 60

ignore-first-ashop {off | on}

Ignore the first AS number in the AS path for routes learned from the corresponding peer.

Set this option only if you peer with a route server in transparent mode.

In transparent mode, the route server redistributes routes from multiple other autonomous systems and does not prepend its own ASN.

Default: off

send-keepalives {off | on}

The router always sends keepalive messages even when an update message is sufficient.

This option lets the router interoperate with other routers that do not strictly follow protocol specifications regarding updates.

Default: none

send-route-refresh {request | route-update}{ipv4 | ipv6 | all} unicast

The router dynamically requests BGP route updates from peers or responds to requests for BGP route updates.

This setting is not supported for iBGP.

Default: none

route-refresh {off | on}

Re-learns routes previously sent by the BGP peer or refreshes the routing table of the peer.

The peer responds to the message with the current routing table.

Similarly, if a peer sends a route refresh request the current routing table is re-sent.

A user can also trigger a route update and not wait for a route refresh request from the peer.

Default: off

accept-routes {all | none}

An inbound BGP policy route if one is not already configured.

  • "all" - Accepts routes and installs them with an invalid preference.

    Depending on the local inbound route policy, these routes are then made active or inactive.

  • "none" - Deletes routes learned from a peer.

    This option saves memory overhead when many routes are rejected because there is no inbound policy.

Default: all

passive-tcp {off | on}

The router waits for the specified peer to issue an open message.

The router does not initiate TCP connections.

Default: off

removeprivateas {off | on}

Remove private AS numbers from BGP update messages to external peers.

Default: off

authtype {none | md5 secret <Secret>}

Configure authentication policy for this peer.

  • "none" - Does not use an authentication scheme between peers.

    If you use an authentication scheme, routing information is accepted only from trusted peers.

  • "md5" - Uses MD5 authentication between peers.

    In general, peers must agree on the authentication configuration to and from peer adjacencies.

    If you use an authentication scheme, routing information is accepted only from trusted peers.

Default: none

throttle-count {<0-65535> | off}

The number of BGP updates to send at one time.

This option limits the number of BGP updates when there are many BGP peers.

Value "off" disables the throttle count option.

Range: 0-65535

Default: none

suppress-default-originate {off | on}

Do NOT generate a default route when the peer receives a valid update from its peer.

Default: none

log-state-transitions {off | on}

The router generates a log message when a peer enters or leaves the established state.

Default: off

log-warnings {off | on}

The router generates a log message when there is a warning scenario in the codepath.

Default: off

trace bgp_traceoption {off | on}

Tracing options for the BGP implementation.

Log messages are saved in the /var/log/routed.log.* files.

See Trace Options.

Default: off

capability {default | ipv4-unicast | ipv6-unicast} {off | on}

On each peer, configure the type of routes (Multiprotocol capability) to interchange between peers.

Select one of these:

  • IPv4 Unicast Only. Default: on.

  • IPv6 Unicast Only. Default: off.

  • Both IPv4 and IPv6. Default: off.

To create peering, the routers must share a capability.

graceful-restart-helper {off | on}

Sets the Check Point system to maintain the forwarding state advertised by peer routers even when they restart.

This minimizes the negative effects caused by the restart of peer routers.

Default: off

graceful-restart-helper-stalepath-time <Number of Seconds>

The maximal seconds that routes previously received from a restarting router are kept so that they can be validated again.

The timer starts after the peer sends an indication that it recovered.

Range: 60-65535

Default: 360

ip-reachability-detection {off | on | multihop | check-control-plane-failure}

Configure Bidirectional Forwarding Detection (BFD) on each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and cluster memberClosed Security Gateway that is part of a cluster. that sends or receives BFD packets.

  • "off" - Stale routes are purged when the peer goes down. This is the default state.

  • "on" - Sets the peer to singlehop BFD. Singlehop BFD is for a peer that is one hop away.

    The peer must be on a directly connected network.

    Make sure the Firewall policy allows UDP port 3784 in both directions.

  • "multihop" - For a peer is one or more hops away.

    Make sure the Firewall policy allows UDP port 4784 in both directions.

    The configuration on both BFD peers must be the same (both configured as multihop or singlehop.

  • "check-control-plane-failure" - Interprets the control plane independent flag (the C bit) received from the remote BFD peer.

    When these two conditions are met at the same time, the gateway keeps stale routes and does not purge them, for graceful restart purposes:

    1. The C-bit received from the peer is zero.

    2. BGP graceful restart is enabled.

Default: off

Make sure the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. topology is correct (issues with incorrect Firewall topology can cause Anti-Spoofing to interfere with BFD traffic.