Sunday, July 1, 2012

Ports requirement for routing protocol to work behind firewall.

Port to allow Routing protocol to work behind firewall.

I.Enabling RIP



A. RIP version 1



RIP runs over UDP port 520. It sends and receives all messages on this port; all messages are sent to the local broadcast address. To enable RIP, add a rule to allow all a firewall's neighbors to send messages to UDP port 520 on the local broadcast network. RIP is a predefined service in the Security Gateway GUI.



Source Destination Service Action Track Install On
Neighbor 1 Network 1 Broadcast RIP Accept Gateways
Neighbor 2 Network 2 Broadcast RIP Accept Gateways
Neighbor 3 Network 3 Broadcast RIP Accept Gateways

B. RIP version 2


RIPv2 can use either the RIPv1 broadcast transport mechanism, or a multicast transport (RIP2-ROUTERS.MCAST.NET, 224.0.0.9). To enable RIPv2 in multicast mode, create a workstation object for the multicast address, and add the following rules to your rule base:

Source Destination Service Action Track Install On
Neighbors rip2-routers.mcast.net RIP Accept Gateways

Note that RIP can also be enabled via the Rulebase Properties screen.

II.Enabling OSPF


Your OSPF rule would look like this. The destination address will always be the OSPF routers themselves, as well as the multicast addresses of 224.0.0.5 and 224.0.0.6:

Create a workstation object of 224.0.0.5 and call it OSPF-ALL.MCAST.NET

Create another workstation object of 224.0.0.6 and call it OSPF-DSIG.MCAST.NET

Source Destination Service Action Track Install On
OSPF Routers + Firewalls OSPF-ALL.MCAST.NET
OSPF-DSIG.MCAST.NET
OSPF Routers + Firewalls
OSPF
IGMP
Accept Gateways

III.IGRP


Like OSPF, IGRP runs on top of IP; IGRP is IP protocol 9. IGRP is a predefined service in the Security Gateway GUI. You should define a group of neighbor routers that participate in IGRP routing, and accept that service to the Security Gateway:

Source Destination Service Action Track Install On
Neighbors firewall IGRP Accept Gateways

IV.BGP


BGP runs over TCP port 179. One TCP connection is opened for each BGP peer. Each peer must be allowed to send BGP messages over its connection to the Security Gateway. BGP peers should also be grouped together to allow them as a group with the following rule:

Source Destination Service Action Track Install On
Peers
Firewall
Firewall
Peers
BGP Accept Gateways

V. PIM


To Allow Sparse or Dense Mode PIM Traffic: Create a workstation object of 224.0.0.13 and call it 'PIM.MCAST.NET'. PIM is a service that is not defined in the CheckPoint Security Gateway. Create a service using the Policy GUI Editor as 'Other' and call it 'PIM'. IP protocol should be set to 103. Leave the other values blank.

Then create the following rule at the very top of the rulebase:

Source Destination Service Action Track Install On
firewalls PIM.MCAST.NET PIM
IGMP
Accept Gateways


Push a new policy to Security Gateway modules once this is done.

No comments:

Post a Comment