Port to allow Routing protocol to work behind firewall.
I.Enabling RIP
RIP runs over UDP port 520. It sends and receives all messages on this port; all messages are sent to the local broadcast address. To enable RIP, add a rule to allow all a firewall's neighbors to send messages to UDP port 520 on the local broadcast network. RIP is a predefined service in the Security Gateway GUI.
RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport (RIP2-ROUTERS.MCAST.NET, 224.0.0.9). To enable RIPv2 in multicast mode, create a workstation object for the multicast address, and add the following rules to your rule base:
Note that RIP can also be enabled via the Rulebase Properties screen.
Your OSPF rule would look like this. The destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 and 224.0.0.6:
Create a workstation object of 224.0.0.5 and call it OSPF-ALL.MCAST.NET
Create another workstation object of 224.0.0.6 and call it OSPF-DSIG.MCAST.NET
Like OSPF, IGRP runs on top of IP; IGRP is IP protocol 9. IGRP is a predefined service in the Security Gateway GUI. You should define a group of neighbor routers that participate in IGRP routing, and accept that service to the Security Gateway:
BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:
To Allow Sparse or Dense Mode PIM Traffic: Create a workstation object of 224.0.0.13 and call it 'PIM.MCAST.NET'. PIM is a service that is not defined in the CheckPoint Security Gateway. Create a service using the Policy GUI Editor as 'Other' and call it 'PIM'. IP protocol should be set to 103. Leave the other values blank.
Then create the following rule at the very top of the rulebase:
Push a new policy to Security Gateway modules once this is done.
I.Enabling RIP
A. RIP version 1
RIP runs over UDP port 520. It sends and receives all messages on this port; all messages are sent to the local broadcast address. To enable RIP, add a rule to allow all a firewall's neighbors to send messages to UDP port 520 on the local broadcast network. RIP is a predefined service in the Security Gateway GUI.
| Source | Destination | Service | Action | Track | Install On |
| Neighbor 1 | Network 1 Broadcast | RIP | Accept | Gateways | |
| Neighbor 2 | Network 2 Broadcast | RIP | Accept | Gateways | |
| Neighbor 3 | Network 3 Broadcast | RIP | Accept | Gateways |
B. RIP version 2
RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport (RIP2-ROUTERS.MCAST.NET, 224.0.0.9). To enable RIPv2 in multicast mode, create a workstation object for the multicast address, and add the following rules to your rule base:
| Source | Destination | Service | Action | Track | Install On |
| Neighbors | rip2-routers.mcast.net | RIP | Accept | Gateways |
Note that RIP can also be enabled via the Rulebase Properties screen.
II.Enabling OSPF
Your OSPF rule would look like this. The destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 and 224.0.0.6:
Create a workstation object of 224.0.0.5 and call it OSPF-ALL.MCAST.NET
Create another workstation object of 224.0.0.6 and call it OSPF-DSIG.MCAST.NET
| Source | Destination | Service | Action | Track | Install On |
| OSPF Routers + Firewalls |
OSPF-ALL.MCAST.NET OSPF-DSIG.MCAST.NET OSPF Routers + Firewalls |
OSPF IGMP |
Accept | Gateways |
III.IGRP
Like OSPF, IGRP runs on top of IP; IGRP is IP protocol 9. IGRP is a predefined service in the Security Gateway GUI. You should define a group of neighbor routers that participate in IGRP routing, and accept that service to the Security Gateway:
| Source | Destination | Service | Action | Track | Install On |
| Neighbors | firewall | IGRP | Accept | Gateways |
IV.BGP
BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:
| Source | Destination | Service | Action | Track | Install On |
|
Peers Firewall |
Firewall Peers |
BGP | Accept | Gateways |
V. PIM
To Allow Sparse or Dense Mode PIM Traffic: Create a workstation object of 224.0.0.13 and call it 'PIM.MCAST.NET'. PIM is a service that is not defined in the CheckPoint Security Gateway. Create a service using the Policy GUI Editor as 'Other' and call it 'PIM'. IP protocol should be set to 103. Leave the other values blank.
Then create the following rule at the very top of the rulebase:
| Source | Destination | Service | Action | Track | Install On |
| firewalls | PIM.MCAST.NET |
PIM IGMP |
Accept | Gateways |
Push a new policy to Security Gateway modules once this is done.
Comments
Post a Comment