Configuring BGP Remote Peers in Gaia Portal

  1. From the left navigation tree, click Advanced Routing > BGP.

  2. In the Peer Groups section, configure the applicable settings.

  3. Click Add.

  4. Configure the applicable settings for this Peer Group.

  5. In the Peers section, click Add Peer and select either Add IPv4 Peer or Add IPv6 Peer.

  6. Configure the applicable settings for this Peer and click Save.

  7. Click Save.

Table: BGP Peer parameters in Gaia Portal

Parameter

Description

Peer

IP address of the BGP remote peer.

Comment

Optional: A free-text description of the remote peer.

Ping

Enable or disable ping for this peer.

IP Reachability Detection

Configure Bidirectional Forwarding Detection (BFD) on each Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. and cluster memberClosed Security Gateway that is part of a cluster. that sends or receives BFD packets. Select one of these options:

  • Singlehop BFD - For a peer that is one hop away.

    The peer must be on a directly connected network.

    Make sure the Firewall policy allows UDP port 3784 in both directions.

  • Multihop BFD - For a peer that is one or more hops away.

    Make sure the Firewall policy allows UDP port 4784 in both directions.

  • Off

Make sure that the BFD configuration is the same on both BFD peers (both configured as multihop or singlehop).

Make sure the SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. topology is correct (issues with incorrect Firewall topology can cause anti-spoofing to interfere with BFD traffic).

Check Control Plane Failure

Interprets the control plane independent flag (the C bit) received from the remote BFD peer.

When these two conditions are met at the same time, the gateway keeps stale routes and does not purge them, for graceful restart purposes:

  1. The C bit received from the peer is zero.

  2. BGP graceful restart is enabled.

When the option is cleared, stale routes are purged when the peer goes down.

Default: Cleared

Multiprotocol Capabilities

  • IPv4 Unicast Only - Specifies if IPv4 unicast routes can be sent to and received from this peer. Default: Selected.

  • IPv6 Unicast Only - Specifies if IPv6 unicast routes can be sent to and received from this peer. Default: Cleared.

  • Both IPv4 and IPv6 - Specifies if both IPv4 and IPv6 unicast routes can be sent to and received from this peer. Default: Cleared.

Local Address

The IP address used on the local end of the TCP connection with the peer.

For external peers that do not have multihop enabled, the local address must be on an interface that is shared with the peer or with the peer's gateway when the gateway parameter is used.

A session with an external peer is opened only when an interface with a local address through which the peer or gateway address is directly reachable is operating.

For other types of peers, a peer session is maintained when any interface with the specified local address is operating.

In either case, incoming connections are recognized as matching a configured peer only if they are addressed to the configured local address.

Default: None

Important:

Peer Local AS

Lets you configure the connection to a remote peer with a Peer Local ASN, on a per-peer basis.

The Peer Local ASN replaces the Local ASN in the BGP session.

Only eBGP peers are supported.

It is not necessary to configure the Peer Local ASN locally

  • Enable Peer Local AS

    Enables this feature.

  • Prepend Peer Local AS on inbound updates from peer

    The router adds the configured peer local ASN to the AS path of the routes received from the peer.

    Routes installed from that peer will contain the peer local ASN as the first entry in the AS Path.

    Default: Selected

  • Prepend systemwide Local AS on outbound updates to peer

    The router adds the local ASN to the AS Path of the routes advertised to an eBGP peer.

    When enabled, the local ASN is the second ASN in the AS Path of updates sent to eBGP peers. The peer local ASN is always the first ASN in the AS Path if the sub feature is enabled or not.

    Default: Selected

  • Allow peering with the Local AS

    Enables the connection to the local ASN or the peer local ASN. There can be only one active connection. If you do not enable this option, it is only possible to connect to the Peer Local ASN.

    The router first tries to connect to the local ASN. If the connection is created with the local ASN, the BGP runs as if the peer local ASN feature is not configured. If the connection with the local ASN fails, the router tries to connect with the peer local ASN.

    Important - Do not use this feature with an AS that already has peer local AS with Dual-Peering enabled.

    Default: Cleared

MED

  • Accept MED from External Peer

    MED should be accepted from this external neighbor.

    MEDs are always accepted from routing-type and confederation neighbors.

    If this parameter is not used with an external neighbor, the MED is stripped before the update is added to the routing table.

    If this parameter is added or deleted and other routing settings are reconfigured, the affected peering sessions are automatically restarted.

    Default: Cleared

  • MED Sent Out

    The primary metric used on all routes sent to the specified peer.

    This metric overrides the default metric on any route specified by the redistribute policy.

    Range: 0-4294967294

    Default: 4294967294

Next Hop and Time to Live

  • EGP Multihop

    Multihop is used to set up eBGP peering connections with peers that are not directly connected.

    You can also use this option, which relies on an IGP to find the route to the peer, to set up peers to perform eBGP load balancing.

    You can refine the multihop session by configuring the TTL, that is, the number of hops to the eBGP peer.

    The TTL has a default value of 64.

    Default: Cleared

  • Time to Live

    You can use the TTL (time to live parameter) to limit the number of hops over which the eBGP multihop session is established.

    You can configure the TTL only if multihop is enabled.

    Range: 1-255

    Default: 64

Aggregator

Select No Aggregator ID to force this router to specify the router ID in the aggregator attribute as zero, rather than the actual router ID.

This option prevents different routers in an AS from creating aggregate routes with different AS paths.

Default: Cleared

ASPATH

  • ASPATH prepend count

    The number of times this router adds to the AS path on eBGP external or CBGP confederation sessions.

    Use this setting to bias the degree of preference some downstream routers have for the routes originated by this router.

    Some implementations prefer to select routes with shorter AS paths.

    This parameter has no effect when used with iBGP peers.

    Range: 1-25

    Default: 1

  • AllowAS In Count

    This feature lets the router at the receiving end override the peer's AS number with the router's AS number in the inbound AS path.

    This is an inbound property whereas as-override is an outbound property.

    Range: 0-10

    Default: 0

  • AS Override

    Overrides the peer's AS number with the router's AS number in the outbound AS path.

    Default: Cleared

Private AS

Remove Private AS remove private AS numbers from the outgoing updates to this peer.

These conditions apply when this feature is enabled:

  • If the AS path includes both public and private AS numbers, private AS numbers will not be removed.

  • If the AS path contains the AS number of the destination peer, private AS numbers will not be removed.

  • If the AS path contains only confederations and private AS numbers, private AS numbers will be removed.

Default: Cleared

Timers

  • Keep Alive Timer

    An alternative way to specify a Hold Time value, in seconds, to use when negotiating the connection with this peer.

    The keepalive interval equals one-third the value of the holdtime.

    The keepalive interval is often used instead of the holdtime value, but you can specify both values, provided the value for the holdtime is three times the keepalive interval.

    The value must be 0, that is, no keepalives are sent, or at least 2.

    Range: 0, 2-21845

    Default: 60

  • Hold Time

    The BGP holdtime value, in seconds, to use when negotiating a connection with this peer.

    According to the specification, if the BGP speaker does not receive a keepalive update or notification message from its peer within the period specified by the holdtime value in the BGP Open message, the BGP connection is closed.

    The value must be either 0, that is, no keepalives are sent, or at least 6.

    Range: 0, 6-65535

    Default: 180

Needed when Peering with Route Server

Select Ignore First AS Hop to force this router to ignore the first AS number in the AS_PATH for routes learned from the corresponding peer.

Important - Select this option only if you are peering with a route server in so-called transparent mode, that is, when the route server is configured to redistribute routes from multiple ASs without prepending its own AS number.

Default: Cleared

Keep Alive

Select Keep Alive Always to force this router always to send keepalives even when an update can substitute.

This setting allows interoperability with routers that do not completely adhere to the protocol specifications on this point.

Default: Cleared

Routes

Accept Routes Received From the Peer controls if routes received from peer routes are accepted if there is an inbound BGP route policy.

If an inbound policy to accept the route does not exist, you can select All or None:

  • All - Specifies to accept and install routes with an invalid preference. Depending on the local BGP inbound policy the routes could become active or inactive.

  • None - Specifies to delete routes learned from a peer when no explicit local BGP inbound policy exists. This option is used to save memory overhead when many routes are rejected because there is no local policy. These routes can be relearned only by restarting the BGP session.

Default: All

Allows Accept TCP Sessions from Your Peer

Select Passive to force this router to wait for the peer to issue an open.

By default all explicitly configured peers are active and periodically send open messages until the peer responds.

Modifying this option resets the peer connection.

Default: Cleared

Authentication

The type of authentication scheme to use between given peers.

In general peers must agree on the authentication configuration to form peer adjacencies.

This feature guarantees that routing information is accepted only from trusted peers.

If you selected MD5, the Password field appears. When you enter a password, MD5 authentication is used with the given peer.

Options: None, or MD5

Default: None

Limit BGP Updates Send to a Peer

Controls the network traffic when there are many BGP peers.

Throttle Count determines the number of BGP updates sent at a time.

Range: 0-65535

Default: No default

Default Originate

Select Suppress Default Originate to NOT generate a default route when the peer receives a valid update from its peer.

Default: Cleared

Route Refresh

Route refresh is used to either re-learn routes from the BGP peer or to refresh the routing table of the peer without tearing down the BGP session.

Both peers must support the BGP route refresh capability and should have advertised this at the time peering was established.

Re-learning of routes previously sent by the peer is accomplished by sending a BGP route refresh message.

The peer responds to the message with the current routing table.

Similarly, if a peer sends a route refresh request the current routing table is re-sent.

You can also trigger a route update without having to wait for a route refresh request from the peer.

Both peers must support the same address and subsequent address families.

For example a request for IPv6 unicast routes from a peer that did not advertise the capability during session establishment will be ignored.

Note - Clicking a refresh button sends a trigger to the routing daemon. It does not change the configuration of the router.

Graceful Restart

  • Helper

    Routes received from peer are preserved if the peer goes down till either the session is re-established ("Open" message is received from the peer after it comes back up) or the graceful restart timer expires.

    Default: Cleared

  • Stalepath Time

    Maximal time for which routes previously received from a restarting router are kept unless they are re-validated.

    The timer is started after the peer sends indication that it is up again.

    Range: 60 - 65535

    Default: 360

Logging

  • Log bgp peer transitions

    Select to force this router to log a message whenever a BGP peer enters or leaves the ESTABLISHED state.

    Default: Cleared

  • Log warnings

    Select to force this router to log a message whenever a warning scenario is encountered in the codepath.

    Default: Cleared

Trace Options

The tracing options for BGP. The BGP implementation inherits the default values for global trace options.

You can override these values on a group or neighbor basis.

Log messages are saved in the /var/log/routed.log file.

See Trace Options.