Configuring IP Reachability Detection in Gaia Portal

1. From the left navigation tree, click Advanced Routing > IP Reachability Detection.

2. In the Global Settings section, configure the applicable settings and click Apply.

   Description

   The Detect Multiplier, Minimum RX Interval and Minimum TX Interval settings, from both sides, set the detection time (timeout) that BFD uses.

   The Detect Multiplier and the Minimum Interval, multiplied together, make the timeout.

   >

   Best Practices: The calculated timeout should be at least 1 second, preferably 3 seconds (or more) for reliability. For more details, see RFC 5880. On Cluster Members, make sure the calculated timeout is longer than the time necessary for the cluster to complete an unattended failover in your environment. We recommend that you first test failover in your environment.

   These setting are global for all BFD sessions on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. or VSX Virtual System Extension. Check Point virtual networking solution, hosted on a computer or cluster with virtual abstractions of Check Point Security Gateways and other network devices. These Virtual Devices provide the same functionality as their physical counterparts. Virtual System.

   Parameters

   Parameter	Description
   BFD Detect Multiplier	Configures the BFD detect multiplier that the system advertises. It determines the remote system timeout. Smaller values produce quicker detection. greater values produce better reliability. If the remote peer's Detect Multiplier is 1, the detection time on a Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gateway increases by 12.5% above the RFC 5880 specification, to improve reliability. Range: 1-100 Default: 10 Recommended: At least 3
   BFD Minimum RX Interval	Configures the BFD minimal RX interval that the system advertises. It configures the local system timeout and the rate at which the remote system transmits packets. Smaller values produce quicker detection. greater values reduce network load. Range: 50-1000 milliseconds Default: 300 milliseconds
   BFD Minimum TX Interval	Configures the BFD minimal TX interval that this system advertises. It configures the remote system timeout and the rate at which the local system transmits packets. Smaller values produce quicker detection. greater values reduce network load. Range: 50-1000 milliseconds Default: 300 milliseconds
   Ping Count	This feature detects whether various remote IP addresses are reachable using ICMP ping. Specifies the number of missed packets (no ICMP Echo Reply) to be tolerated in a row before the address is considered "not reachable." Range: 1-100 Default: 3
   Ping Interval	This feature detects whether various remote IP addresses are reachable using ICMP ping. Specifies the interval between ICMP Echo Request packets that are sent. Range: 50-1000 seconds Default: 3 seconds

3. In the Static Sessions section, add the applicable sessions.

   1. Click Add.

   2. In the Address Family field, select either IPv4 or IPv6.

   3. In the Address field, enter the applicable IP address.

   4. In the Type field, select the BFD type.

      Singlehop BFD

      Requires that the remote address be exactly one hop away (see RFC 5881).

      BFD Singlehop Control packets use the UDP destination port 3784.

      BFD Singlehop Control packets use the UDP source ports from 49152 to 65535.

      Multihop BFD

      Allows the remote address to be any number of hops away - even zero, although this is seldom useful (see RFC 5883).

      To support this extra versatility, with multihop BFD you must specify the Local Address of this Gaia.

      Multihop BFD only works if the remote and local IP addresses on the peers are configured correctly:

      • On Peer #1:

        • The session IP address (remote IP address) is the local IP address configured on Peer #2
        • The session local IP address is the local IP address configured on Peer #1

      • On Peer #2:

        • The session IP address (remote IP address) is the local IP address configured on Peer #1
        • The session local IP address is the local IP address configured on Peer #2

      BFD Multihop Control packets use the UDP destination port 4784.

      Ping

      Detects whether remote IP addresses are reachable using ICMP ping.

      ICMP Echo packets use the UDP destination port 3785.

      Note - BFD only works if both ends are configured to perform the same BFD type - on both ends perform singlehop, on both ends perform multihop, or on both ends perform ping.

   5. Click Save.

4. In the BFD Authentication section, configure the applicable authentication settings.

   Description

   BFD can be authenticated on a given address range, with specified Authentication Type, Key ID, and Shared Secret.

   BFD authentication is disabled by default.

   If BFD authentication is already enabled on the address range, you can add another Key (up to ten) with a unique Key ID, or replace the configured Key.

   For BFD authentication to work properly, you must configure the local and remote BFD peers to:

   • Both have authentication enabled.

   • Have the same authentication type setting.

   • Have the exact same set of Keys, with matching Key IDs and Shared Secrets.

   Note - You can delete the configured BFD Authentication settings, including keys and authentication type. In this case, if a greater, overlapping range is configured for authentication, that range's settings are used.

   Procedure

   1. Click Add.

   2. In the Address Family field, select either IPv4 or IPv6.

   3. Configure whether BFD Authentication must apply to all IP addresses.

      Otherwise, you explicitly configure the applicable IP address range.

      • For IPv4: Select All IPv4 Addresses.

      • For IPv6: Select All IPv6 Addresses.

   4. Configure the applicable IP address range of the peer.

      Configuration in the address range applies to any BFD sessions, whose remote peer addresses are in the range.

      If ranges overlap, the narrowest range takes precedence (for example: 10.1.1.0/24 overrides 10.1.0.0/16).

      For IPv4

      In the Address field, enter the applicable IPv4 address.

      In the Subnet mask field, enter the applicable IPv4 subnet mask. If not specified explicitly, it defaults to the maximum of 32.

      Examples:

      • 0.0.0.0/0 - All IPv4 addresses
      • 1.0.0.0/8 - Addresses from 1.0.0.0 through 1.255.255.255
      • 1.1.1.0/24 - Addresses from 1.1.1.0 through 1.1.1.255
      • 1.2.3.4/32 - A single address, 1.2.3.4
      • 1.2.3.4 - A single address, 1.2.3.4
      For IPv6

      In the IPv6 Address / Mask Length field, enter the applicable IPv6 address and the Mask Length.

      If the Mask Length is not specified explicitly, it defaults to the maximum of 128.

      Examples:

      • ::/0 - All IPv6 addresses (including link-local)
      • fe80::/10 - All link-local addresses (requires interface)

   5. In the Authentication Type field, select the authentication type.

      For more information, see RFC 5880.

      If you change the authentication type of a session, its existing keys are switched to the new authentication type.

      None

      No authentication is used.

      If you switch from another authentication type to this type, all keys are removed and authentication is disabled for this range of peer addresses (even if a greater, overlapping range is configured for authentication).

      Meticulous MD5, or MD5

      The use of these authentication types is strongly discouraged.

      These authentication types use a 16-byte MD5 digest calculated over the outgoing BFD Control packet, but the Key itself is not carried in the packet.

      For Meticulous MD5, the sequence number is incremented on every packet.

      For MD5, the sequence number is occasionally incremented.

      Meticulous SHA1, or SHA1

      These authentication types use a SHA1 hash calculated over the outgoing BFD Control packet.

      For Meticulous SHA1, the sequence number is incremented on every packet.

      For SHA1, the sequence number is occasionally incremented.

      >	Best Practice - Use one of these authentication types.

   6. Configure the applicable Keys:

      1. Click Add.

      2. In the Key ID field, enter the Key ID from 0 to 255.

         Description

         This number uniquely identifies the key, if more than one key is used.

         BFD supports the use of multiple keys (up to ten).

         Make sure that the Configures of keys (Key IDs and Shared Secrets) are identical to those on the remote peer.

         Note - Gaia transmits only the Key with the lowest Key ID number. Gaia accepts packets with any key.

      3. The Enter secret as hex option:

         • If this option is cleared (default), each ASCII character in the shared secret represents one byte.

         • If this option is selected, you specify the shared secret in hexadecimal notation, with two hex digits to represent each byte.

         >	Best Practice - Do not enable this option. The alternative hex option is provided for versatility and interoperability, to support special characters, such as single quote, double quote, and others.

      4. In the Secret (or Hex Secret) field, enter the shared secret.

         Description

         • Supports only ASCII characters (example: "testing"), or Hex digits (example: 74657374696e67).

           Spaces are not allowed.

         • For Meticulous MD5 and MD5 - The secret must contain from 1 to 16 characters. In Hex, must contain from 2 to 32 hex digits.

         • For Meticulous SHA1 and SHA1 - The secret must contain from 1 to 20 characters. In Hex, must contain from 2 to 40 hex digits.

         • Interoperability with other vendors may require that you limit the secret length.

         • The configured value is automatically padded to the full length with null bytes.

      5. Click OK.

   7. Click Save.