https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225611#M5766 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275741">@jortiztrb</a> ,</P> <P>&nbsp;</P> <P>Could you provide more details?&nbsp; You have conditional advertisement working.&nbsp; Are you saying that when the Non-Exist prefix comes back, the NGFW does not automatically stop advertising the conditional prefix?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 03 Apr 2025 17:25:50 GMT TomYoung 2025-04-03T17:25:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225503#M5762 <P>Good day all, I was working with PA support I may be just be getting confused with the information.</P> <P>&nbsp;</P> <P>I'm trying to use conditional advertisement to advertise a single subnet via BGP only when another a particular learned route is down. I got this portion working. But, how do I revert back when BGP learned route comes back?</P> <P>&nbsp;</P> <P>According to PA support this is not possible. They provided the document below but I still asked the question below</P> <P>&nbsp;</P> <DIV class="caseDetailComment"> <DIV> <P><SPAN>Reference document:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEUCA0" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEUCA0</A>.<BR /><BR />In the scenario explained in the document, once FW-B starts advertising 55.55.55.100 route to FW-C, is there a method to undo this once 100.100.100.0/24 is in the local rib again?</SPAN></P> </DIV> </DIV> <DIV class="caseDetailComment">&nbsp;</DIV> Wed, 02 Apr 2025 20:48:46 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225503#M5762 jortiztrb 2025-04-02T20:48:46Z https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225611#M5766 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275741">@jortiztrb</a> ,</P> <P>&nbsp;</P> <P>Could you provide more details?&nbsp; You have conditional advertisement working.&nbsp; Are you saying that when the Non-Exist prefix comes back, the NGFW does not automatically stop advertising the conditional prefix?</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 03 Apr 2025 17:25:50 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225611#M5766 TomYoung 2025-04-03T17:25:50Z https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225624#M5768 <P>That is correct. Unless I set it up incorrectly. I was able to get the BGP routes advertised when the monitored route went down. However, after route came back up, BGP was still advertising.</P> Thu, 03 Apr 2025 19:21:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225624#M5768 jortiztrb 2025-04-03T19:21:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225657#M5769 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/275741">@jortiztrb</a> ,</P> <P>&nbsp;</P> <P>That doesn't make sense.&nbsp; You may be running into a bug.&nbsp; I have configured BGP Conditional Advertisement on Cisco.&nbsp; If you configure it good enough to advertise the route, then it should automatically withdraw it.</P> <P>&nbsp;</P> <P>Here is a good blog on the topic.&nbsp; <A href="https://blog.davidvassallo.me/2013/04/04/palo-alto-networks-implementing-conditional-advertising-in-bgp/" target="_blank">https://blog.davidvassallo.me/2013/04/04/palo-alto-networks-implementing-conditional-advertising-in-bgp/</A>&nbsp; He says</P> <P>"And turning it [ the monitored route ] back on reverses it, advertising only to GM, our primary peer."&nbsp; When the conditional prefix is not withdrawn, what does the "show routing protocol bgp policy cond-adv" show?&nbsp; He says you "may need to disable the primary ISP bgp peer, commit, and re-enable the bgp peer." That's a pain.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Thu, 03 Apr 2025 23:01:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/conditional-advertisement-revert-back-options/m-p/1225657#M5769 TomYoung 2025-04-03T23:01:59Z