topic Re: SDWAN BGP over pre-existing BGP internet. in Next-Generation Firewall Discussions

SDWAN BGP over pre-existing BGP internet.

PabloArduino — Wed, 18 Sep 2024 17:28:11 GMT

Hi Guys.

We're deploying SDWAN in a customer who already has two ISPs connected in his hub, and talking BGP ECMP with them, using his public ASN and his own prefixes.

According to documentation, the SDWAN plugin requires the same BGP Router ID and ASN when declaring the hub in devices, but it won't allow to use the public ASN here.

So, my question is, do you need to create another VR in order to run a separate BGP process for the SDWAN side of things? Or there's a workaround to directly use the public ASN?. The closest scenario I could find is this one, https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/configure-sd-wan/configure-multi-vr-on-sd-wan-hub. The main difference is I wouldn't need a VR2, but I'm strugging to understand what interfaces need to be attached to VR1, and how the traffic needs to be forwarded between VRs. If that's the case, I would need to set up and maintain a lot of static routes there right?

Many Thanks.

Re: SDWAN BGP over pre-existing BGP internet.

OtakarKlier — Wed, 18 Sep 2024 18:21:14 GMT

Hello,

You shouldn't need two VR's.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLL8CAO

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClElCAK

Regards,

Re: SDWAN BGP over pre-existing BGP internet.

PabloArduino — Wed, 18 Sep 2024 18:26:55 GMT

Thanks for the reply. But the problem isn't at the internet side of the firewall. It's on the SDWAN plugin, and it's limitation to only accept private ASNs for its internal BGP routing. On my default virtual router (the one that's similar to the DIA one in the example from my posted link), I'm using the public ASN, because it's not possible to end the AS-Path with a private number. So, to sum it up, ISP faced side cannot use private ASN, and SDWAN plugin doesn't accept public ASNs.

Re: SDWAN BGP over pre-existing BGP internet.

OtakarKlier — Wed, 18 Sep 2024 18:32:21 GMT

Hello,

Sorry I misread you initial question. I think you might need the two VR's. One internal and one external. However I do not use the SDWAN feature.

Regards,

Re: SDWAN BGP over pre-existing BGP internet.

Kenya_Vieira — Mon, 23 Sep 2024 19:15:28 GMT

Hello,

I'm encountering a similar scenario.

In an environment with BGP configured (Public AS), is there any way to use this Public AS in the automation of the SD-WAN plugin within the BGP settings?

I have the following topology:

When I try to insert the BGP configurations for automated tunnel creation, I receive a failure notification when inputting this information:

According to the documentation, it should be possible to use BGP in this context, but it doesn’t specify if there are any issues related to using a Public vs. Private AS.

The versions I am using are:
SD-WAN plugin: 3.2.1
VM-50 device: 11.1.2-h3
Panorama: 11.1.2-h3

Update:
The firewall's direct documentation states that Palo Alto's SD-WAN only supports private BGP. 😞

https://docs.paloaltonetworks.com/plugins/sd-wan/2-1/panorama-sd-wan-plugin-help/panorama-sd-wan-plugin/sd-wan-devices

However, in my humble opinion, using multi-VR doesn’t solve the scenario, as it’s not possible to add the same device in the SD-WAN automation while needing to use both VRs.

Re: SDWAN BGP over pre-existing BGP internet.

OtakarKlier — Mon, 23 Sep 2024 19:40:03 GMT

Hello,

That is beyond my expertise. I would suggest reaching out to your sales engineer, they can message other sales engineers and might be able to answer it for you. However if its preventing you from doing so, there could be a reason why.

Regards,

Re: SDWAN BGP over pre-existing BGP internet.

PabloArduino — Tue, 24 Sep 2024 16:26:45 GMT

Hi, I couldn't find a solution yet. Using a second VR might fix this problem, but I'm thinking that in the hub, I would need to assign 2 interfaces (loopbacks maybe?) in the upstream NAT section of the plugin. Then NAT and forward traffic from the internet directed to the assigned IP address. In my case would require 2 loopbacks, one for each ISP on the default VR. Such a complication, it would be so much easier to allow public ASNs in the plugin....

Re: SDWAN BGP over pre-existing BGP internet.

PabloArduino — Wed, 25 Sep 2024 18:00:30 GMT

Hi, haven't tried yet. But I think we might have something here.

https://docs.paloaltonetworks.com/sd-wan/3-0/sd-wan-admin/configure-sd-wan/add-sd-wan-devices-to-panorama/add-an-sd-wan-device

In the step 6, says:

Select the Virtual Router Name to use for routing between the SD-WAN hub and branches. By default, an sdwan-default virtual router is created and enables Panorama to automatically push router configurations.

(PAN-OS 10.2.8 and later 10.2 releases, and SD-WAN Plugin 3.0.7 and later 3.0 releases) When multiple virtual router (Enable Multi-VR Support) is enabled, select DIA virtual router for the Virtual Router Name.

So, if I'm right, just by ticking that multi VR support box, it should generate that sdwan-default VR just for exchanging sdwan BGP routes over the links.

I won't be able to test it in a few days. If you can check it out, please share your findings.

Thanks

Re: SDWAN BGP over pre-existing BGP internet.

Kenya_Vieira — Fri, 04 Oct 2024 14:10:50 GMT

- Multi-VR will only work on HUB;
- And if you want to use both, it`s not possible. It only allows to use one VR in SD-WAN;
- Loopbacks might be an issue on Global Protect with SD-WAN.

In