Configuring IP Reachability Detection in Gaia Clish

Important - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

set ip-reachability-detection

   bfd

      address <IP Address>

         authtype delete

         authtype none

         authtype {md5 | meticulous-md5 | sha1 | meticulous-sha1} key <0-255>

            hex-secret "<Hex Password>"

            off

            secret "<Password>"

         enable-bfd multihop local-address <IPv4 Address>

         enable-bfd off

         enable-bfd on

      detect-multiplier {<1-100> | default}

      min-rx-interval {<50-1000> | default}

      min-tx-interval {<50-1000> | default}

   ping

      address <IPv4 Address> enable-ping {off | on}

      count {<1-100> | default}

      interval {<1-100> | default}

Parameter

Description

bfd address <IP Address>

Configures the IP address range of the peer.

Configuration in the address range applies to any BFD sessions, whose remote peer addresses are in the range.

If ranges overlap, the narrowest range takes precedence (for example: 10.1.1.0/24 overrides 10.1.0.0/16).

Specify the applicable IPv4 address and optionally the IPv4 subnet mask.

If the subnet mask is not specified explicitly, it defaults to the maximum of 32.

Examples:

  • 0.0.0.0/0 - All IPv4 addresses
  • 1.0.0.0/8 - Addresses from 1.0.0.0 through 1.255.255.255
  • 1.1.1.0/24 - Addresses from 1.1.1.0 through 1.1.1.255
  • 1.2.3.4/32 - A single address, 1.2.3.4
  • 1.2.3.4 - A single address, 1.2.3.4

Specify the applicable IPv6 address and optionally the Mask Length.

If the Mask Length is not specified explicitly, it defaults to the maximum of 128.

Examples:

  • ::/0 - All IPv6 addresses (including link-local)
  • fe80::/10 - All link-local addresses (requires interface)

bfd address <IP Address> authtype delete

Deletes the BFD authentication settings, including keys and authentication type.

In this case, if a greater, overlapping range is configured for authentication, that range's settings are used.

bfd address <IP Address> authtype none

No BFD authentication is used.

If you switch from another authentication type to this type, all keys are removed and authentication is disabled for this range of peer addresses (even if a greater, overlapping range is configured for authentication).

bfd address <IP Address> authtype {md5 | meticulous-md5 | sha1 | meticulous-sha1} key <0-255>

Configures the BFD Authentication type and key.

BFD can be authenticated on a given address range, with specified Authentication Type, Key ID, and Shared Secret.

BFD authentication is disabled by default.

If BFD authentication is already enabled on the address range, you can add another Key (up to ten) with a unique Key ID, or replace the configured Key.

For BFD authentication to work properly, you must configure the local and remote BFD peers to:

  • Both have authentication enabled.

  • Have the same authentication type setting.

  • Have the exact same set of Keys, with matching Key IDs and Shared Secrets.

Note - You can delete the configured BFD Authentication settings, including keys and authentication type. In this case, if a greater, overlapping range is configured for authentication, that range's settings are used.

 

  • Meticulous MD5, or MD5

    The use of these authentication types is strongly discouraged.

    These authentication types use a 16-byte MD5 digest calculated over the outgoing BFD Control packet, but the Key itself is not carried in the packet.

    For Meticulous MD5, the sequence number is incremented on every packet.

    For MD5, the sequence number is occasionally incremented.

  • Meticulous SHA1, or SHA1

    These authentication types use a SHA1 hash calculated over the outgoing BFD Control packet.

    For Meticulous SHA1, the sequence number is incremented on every packet.

    For SHA1, the sequence number is occasionally incremented.

    >

    Best Practice - Use one of these authentication types.

 

This number uniquely identifies the key, if more than one key is used.

BFD supports the use of multiple keys (up to ten).

Make sure that the Configures of keys (Key IDs and Shared Secrets) are identical to those on the remote peer.

Note - Gaia transmits only the Key with the lowest Key ID number. Gaia accepts packets with any key.

Range: 0-255

Default: None

bfd address <IP Address> authtype <Type> key <0-255> hex-secret "<Hex Password>"

Specifies the shared secret in hexadecimal notation, with two hex digits to represent each byte.

>

Best Practice - Do not enable this option. The alternative hex option is provided for versatility and interoperability, to support special characters, such as single quote, double quote, and others.

  • Supports only Hex digits (example: "74657374696e67").

    Spaces are not allowed.

  • For Meticulous MD5 and MD5 - The secret must contain from 2 to 32 hex digits.

  • For Meticulous SHA1 and SHA1 - The secret must contain from 2 to 40 hex digits.

  • Interoperability with other vendors may require that you limit the secret length.

  • The configured value is automatically padded to the full length with null bytes.

bfd address <IP Address> authtype <Type> key <0-255> off

Removes a BFD authentication key from the configuration.

Leaves other keys alone.

When you remove the last BFD authentication key from an address range, then BFD uses the settings from a broader overlapping address range (if any). If there is none, then BFD operates without authentication.

This can disable BFD authentication if no more keys are left.

bfd address <IP Address> authtype <Type> key <0-255> secret "<Password>"

Specifies the shared secret, in which each ASCII character represents one byte.

>

Best Practice - Use this option.

  • Supports only ASCII characters (example: "testing").

    Spaces are not allowed.

  • For Meticulous MD5 and MD5 - The secret must contain from 1 to 16 characters.

  • For Meticulous SHA1 and SHA1 - The secret must contain from 1 to 20 characters.

  • Interoperability with other vendors may require that you limit the secret length.

  • The configured value is automatically padded to the full length with null bytes.

bfd address <IP Address> enable-bfd multihop local-address <IPv4 Address>

Enables multihop BFD for this IP address.

Allows the remote address to be any number of hops away - even zero, although this is seldom useful (see RFC 5883).

To support this extra versatility, with multihop BFD you must specify the Local Address of this Gaia.

Multihop BFD only works if the remote and local IP addresses on the peers are configured correctly:

  • On Peer #1:

    • The session IP address (remote IP address) is the local IP address configured on Peer #2
    • The session local IP address is the local IP address configured on Peer #1

  • On Peer #2:

    • The session IP address (remote IP address) is the local IP address configured on Peer #1
    • The session local IP address is the local IP address configured on Peer #2

BFD Multihop Control packets use the UDP destination port 4784.

bfd address <IP Address> enable-bfd off

Disables BFD completely for this IP address.

bfd address <IP Address> enable-bfd on

Enables singlehop BFD for this IP address.

Requires that the remote address be exactly one hop away (see RFC 5881).

BFD Singlehop Control packets use the UDP destination port 3784.

BFD Singlehop Control packets use the UDP source ports from 49152 to 65535.

bfd detect-multiplier {<1-100> | default}

Configures the BFD detect multiplier that the system advertises.

It determines the remote system timeout.

Smaller values produce quicker detection.

greater values produce better reliability.

If the remote peer's Detect Multiplier is 1, the detection time on a Gaia gateway increases by 12.5% above the RFC 5880 specification, to improve reliability.

This setting is global for all BFD sessions on a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or VSXClosed Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual System.

Range: 1-100

Default: 10

Recommended: At least 3

bfd min-rx-interval {<50-1000> | default}

Configures the BFD minimal RX interval that the system advertises.

It configures the local system timeout and the rate at which the remote system transmits packets.

Smaller values produce quicker detection.

greater values reduce network load.

This setting is global for all BFD sessions on a Security Gateway or VSX Virtual System.

Range: 50-1000 milliseconds

Default: 300 milliseconds

bfd min-tx-interval {<50-1000> | default}

Configures the BFD minimal TX interval that this system advertises.

It configures the remote system timeout and the rate at which the local system transmits packets.

Smaller values produce quicker detection.

greater values reduce network load.

This setting is global for all BFD sessions on a Security Gateway or VSX Virtual System.

Range: 50-1000 milliseconds

Default: 300 milliseconds

ping address <IPv4 Address> enable-ping {off | on}

This feature detects whether various remote IP addresses are reachable using ICMP ping.

Disables (off) or enables (on) ICMP Echo for this IP address.

ping count {<1-100> | default}

This feature detects whether various remote IP addresses are reachable using ICMP ping.

Specifies the number of missed packets (no ICMP Echo Reply) to be tolerated in a row before the address is considered "not reachable."

Range: 1-100

Default: 3

ping interval {<1-100> | default}

This feature detects whether various remote IP addresses are reachable using ICMP ping.

Specifies the interval between ICMP Echo Request packets that are sent.

This setting is global for all BFD sessions on a Security Gateway or VSX Virtual System.

Range: 50-1000 seconds

Default: 3 seconds