Configuring Inbound Route Filters for IPv4 BGP in Gaia Clish

Important - In a Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

To see the available "set" commands for IPv4 Inbound Route Filters, enter in Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).:

set inbound-route-filter[Esc][Esc]

To see the configured IPv4 Inbound Route Filters, enter in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Clish:

show configuration inbound-route-filter

Syntax

set inbound-route-filter bgp-policy <BGP Import Policy ID>

accept-all-ipv4

accept-all-ipv6

based-on-as as <AS Number> on

based-on-aspath aspath-regex {<Regular Expression> | empty} origin {any | egp | igp | incomplete} on

community-match <1-65535> as <1-65535> {off | on}

default-localpref {0-4294967295 | default}

default-weight {0-65535 | default}

off

restrict-all-ipv4

restrict-all-ipv6

route <IPv4 or IPv6 Address>/<Mask Length>

accept

between <Start IPv4 Mask Length> and <End IPv4 Mask Length> on

between <Start IPv4 Mask Length> and <End IPv4 Mask Length> restrict on

exact on

exact restrict on

localpref {0-4294967295 | default}

normal on

normal restrict on

off

refines on

refines restrict on

weight {0-65535 | default}

Parameters

Parameter

Description

set inbound-route-filter bgp-policy <BGP Import Policy ID>

Configures the ID for the BGP Import Policy.

The <BGP Import Policy ID> is:

From 1 to 511 for import based on the AS-PATH attribute.
From 512 to 1024 for import based on the AS Number attribute.

accept-all-ipv4

Accepts all IPv4 routes that match this filter, except those route that are explicitly restricted by a more specific rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session..

Accepting routes is the default behavior, unless the "restrict" option is configured.

accept-all-ipv6

Accepts all IPv6 routes that match this filter, except those route that are explicitly restricted by a more specific rule.

Accepting routes is the default behavior, unless the "restrict" option is configured.

based-on-as as <AS Number> on

Configures a new policy to import BGP routes from a particular peer Autonomous System.

based-on-aspath aspath-regex {<Regular Expression> | empty} origin {any | egp | igp | incomplete} on

Configures a new policy to import BGP routes, whose AS-PATH matches a particular regular expression.

A valid AS_PATH regular expression contains only digits and these special characters:

. - The period character matches any single character.
\ - The backslash character matches the character right after the backslash. For pattern recall, match the pattern indicated by the digit following the backslash. To enter the backslash character, enter two backslash characters \\ (the first backslash character escapes the second backslash character).
^ - The circumflex character matches the characters or null string at the beginning of the AS path.
$ - The dollar character matches the characters or null string at the end of the AS path.
? - The question mark matches zero or one occurrence of the pattern before "?". To enter the question mark, press the CTRL V keys and then press the Shift ? keys.
* - The asterisk character matches zero or more occurrences of the pattern before "*".
+ - The plus character matches one or more occurrences of the pattern before "+".
| - The pipeline (vertical line) character matches one of the patterns on either side of the "|" character.
_ - The underscore character matches comma (,), left brace ({), right brace (}), beginning of ASPath (^), end of ASPath ($), or a whitespace (space or tabulation).
[ ] - The square brackets match the set of characters or range of characters separated by a hyphen (-) within the brackets.
( ) - The round brackets group one or more patterns into a single pattern.
{m n} - Matches at least "m" and at most "n" repetitions of the pattern before "{m,n}". Both "m" and "n" are positive integers, and "m" is less than or equal to "n".
{m} - Matches exactly "m" repetitions of the pattern before "{m}". The "m" is a positive integer.
{m,} - Matches "m" or more repetitions of the pattern before "{m}". The "m" is a positive integer.

To generate an empty regular expression, use "empty".

Route origins are:

any - A route was learned from any protocol and the path is probably complete.
egp - A route was learned from an exterior routing protocol that does not support AS-PATH, and the path is probably incomplete.
igp - A route was learned from an interior routing protocol and the path is probably complete.
incomplete - The route path information is incomplete.

community-match <1-65535> as <1-65535> {off | on}

Matches routes containing a given Community in the BGP Community attribute.

Each Community is identified by a Community ID and an Autonomous System number.

off - Removes this Community filter from this BGP import policy
on - Adds this Community match filter to this BGP import policy

default-localpref {0-4294967295 | default}

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: No local preference

default-weight {0-65535 | default}

Assigns a BGP weight to all routes that match this filter, except those that match a more specific filter with a different weight value configured.

BGP stores any routes that are rejected by not mentioning them in a route filter.

BGP explicitly mentions these rejected routes in the routing table and assigns them a "restrict" keyword with a negative weight.

A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols.

This feature eliminates the need to break and re-establish a session upon reconfiguration if import policy is changed.

Note - The route weight cannot be configured in a policy rule that is set to "restrict".

Range: 0-65535

Default: No weight

set inbound-route-filter bgp-policy <BGP Import Policy ID> off

Deletes this BGP import policy from the configuration.

restrict-all-ipv4

Rejects all IPv4 routes that match this filter, except those that match a more specific filter that is set to "accept".

restrict-all-ipv6

Rejects all IPv6 routes that match this filter, except those that match a more specific filter that is set to "accept".

route <IPv4 or IPv6 Address>/<Mask Length>

Configures import policy for a specific network.

Range: For IPv4 - Dotted-quad ([0-255].[0-255].[0-255].[0-255]) / [0-32]

Range: For IPv6 - Dotted-octet ([0-F]:[0-F]:[0-F]:[0-F]:[0-F]:[0-F]:[0-F]:[0-F]) / [0-128]

Default: None

route <IPv4 or IPv6 Address>/<Mask Length> accept

Accepts this route.

route <IPv4 Address>/<IPv4 Mask Length> between <Start IPv4 Mask Length> and <End IPv4 Mask Length> on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Accepts any route with prefix equal to the specified network, whose mask length falls within a particular range.

route <IPv4 Address>/<IPv4 Mask Length> between <Start IPv4 Mask Length> and <End IPv4 Mask Length> restrict on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Rejects all routes that match this policy rule, except those that match a more specific filter that is set to "accept".

route <IPv4 or IPv6 Address>/<Mask Length> exact on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Accepts only routes with prefix and mask length exactly equal to the specified network.

route <IPv4 or IPv6 Address>/<Mask Length> exact restrict on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Rejects all routes that match this policy rule, except those that match a more specific filter that is set to "accept".

route <IPv4 or IPv6 Address>/<Mask Length> localpref {0-4294967295 | default}

Assigns a BGP local preference to all routes that match this filter, except those that match a more specific filter with a different local preference value configured.

The local preference value is sent automatically when redistributing external BGP routes to an internal BGP route.

The local preference parameter is ignored if used on internal BGP import statements.

greater values are preferred by the routing system when it selects between competing BGP routes.

>	Best Practice - The local preference configuration is the recommended way to bias the preference for BGP routes.

Important - Do not use the local preference parameter when importing BGP.

Note - The local preference cannot be configured in a policy rule that is set to "restrict".

Range: 0-4294967295

Default: No local preference

route <IPv4 or IPv6 Address>/<Mask Length> normal on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Accepts any route equal to or contained within the specified network.

route <IPv4 or IPv6 Address>/<Mask Length> normal restrict on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Rejects all routes that match this policy rule, except those that match a more specific filter that is set to "accept".

route <IPv4 or IPv6 Address>/<Mask Length> off

Removes this address filter from this import policy.

route <IPv4 or IPv6 Address>/<Mask Length> refines on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Matches routes contained within the specified network, but only more specific (for example, with a greater mask length).

route <IPv4 or IPv6 Address>/<Mask Length> refines restrict on

There are different mechanisms, by which routes can be matched against the configured subnet. A match type must be configured following the subnet.

Rejects all routes that match this policy rule, except those that match a more specific filter that is set to "accept".

route <IPv4 or IPv6 Address>/<Mask Length> weight {0-65535 | default}

Assigns a BGP weight to all routes that match this filter, except those that match a more specific filter with a different weight value configured.

BGP stores any routes that are rejected by not mentioning them in a route filter.

BGP explicitly mentions these rejected routes in the routing table and assigns them a "restrict" keyword with a negative weight.

A negative weight prevents a route from becoming active, which means that it is not installed in the forwarding table or exported to other protocols.

This feature eliminates the need to break and re-establish a session upon reconfiguration if import policy is changed.

Note - The route weight cannot be configured in a policy rule that is set to "restrict".

Range: 0-65535

Default: No weight