https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/332210#M100 <P>Hi all,</P><P>&nbsp;</P><P>i have some questions regarding community settings because we use this in our org to influence routes selection.</P><P>Based on this document "<A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html</A>"</P><P>&nbsp;</P><P>1) Are the communities referred in it "65534:X "&nbsp;"65534:Y "&nbsp;"65534:Z " refers to the prisma mobile users IP pools allocation setting per region?</P><P>&nbsp;</P><P>2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?<BR /><BR />3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 08 Jun 2020 03:34:29 GMT CharlesKoh 2020-06-08T03:34:29Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/332210#M100 <P>Hi all,</P><P>&nbsp;</P><P>i have some questions regarding community settings because we use this in our org to influence routes selection.</P><P>Based on this document "<A href="https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html" target="_blank">https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/route-preferences-for-service-connection-traffic.html</A>"</P><P>&nbsp;</P><P>1) Are the communities referred in it "65534:X "&nbsp;"65534:Y "&nbsp;"65534:Z " refers to the prisma mobile users IP pools allocation setting per region?</P><P>&nbsp;</P><P>2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?<BR /><BR />3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 08 Jun 2020 03:34:29 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/332210#M100 CharlesKoh 2020-06-08T03:34:29Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333478#M114 <P>Hi Charles,&nbsp;</P><P>&nbsp;</P><P>Here are replies inline to your questions:&nbsp;</P><P>&nbsp;</P><P>1) Are the communities referred in it "65534:X "&nbsp;"65534:Y "&nbsp;"65534:Z " refers to the prisma mobile users IP pools allocation setting per region?</P><P>&nbsp;</P><P><FONT color="#FF0000">The routes are Mobile User User pool addresses you have onboarded in certain regions. We will split up those larger pools into /24 blocks and tag then with the Prisma Access AS number /Community Strings&nbsp; (65534:x). The X/Y/Z is per Service Connection. You can say "regional" yes.&nbsp;</FONT></P><P>&nbsp;</P><P>2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?</P><P>&nbsp;</P><P><FONT color="#FF0000">The community string tag it is using is an ID of the active FW for the original active Service Connection Firewall.&nbsp;</FONT></P><P><BR />3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.</P><P>&nbsp;</P><P><FONT color="#FF0000">You can see the ID's in Panorama Managed Prisma Access GUI page:&nbsp;</FONT></P><P>&nbsp;</P><DIV><FONT color="#FF0000">Panorama &gt;&gt;&gt; Cloud Services &gt;&gt;&gt;Status &gt;&gt;&gt; Network Details &gt;&gt;&gt; Service Connection &gt;&gt;&gt; Show BGP Status</FONT></DIV><DIV><FONT color="#FF0000">(Look at the Community field)&nbsp;</FONT></DIV><DIV>&nbsp;</DIV><DIV><FONT face="arial,helvetica,sans-serif"><FONT color="#FF0000">The community tags should be mostly static, so once you have mapped them out they should stay consistent unless you re-onboard the SC.</FONT>&nbsp;</FONT></DIV><DIV>&nbsp;</DIV><DIV><FONT face="arial,helvetica,sans-serif">I hope this helps!</FONT></DIV><DIV>&nbsp;</DIV><DIV><FONT face="arial,helvetica,sans-serif">Wade</FONT></DIV> Mon, 15 Jun 2020 17:39:16 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333478#M114 wprice 2020-06-15T17:39:16Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333561#M115 <P>Hi Wade,</P><P>&nbsp;</P><P>Thanks for replying.</P><P>&nbsp;</P><P>Just further question on the point 3 with regards to Remote Network sites. I do see the community setting based on the BGP status of the remote network. But on my CPE peering with service connections, i checked the BGP prefixes advertised by these remote sites, i do not see the community tag on it like what i've seen on the mobile user prefixes.</P><P>&nbsp;</P><P>Is that the case it should be?</P> Tue, 16 Jun 2020 00:53:20 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333561#M115 CharlesKoh 2020-06-16T00:53:20Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333718#M116 <P>Hi Charles,&nbsp;</P><P>&nbsp;</P><P>We do not tag the Remote Network prefixes with a community string, because we fully mesh the RNs to each Service connection. If all you want to do is identify which routes are RN's you can tag them by advertising them from the branch with a global or regional community string tag and we will advertise / preserve them to the SC with those Community value tags. If you want to identify which regions are which routes, you can advertise specific community tags for specific "regions" or "Geos".&nbsp;</P><P>&nbsp;</P><P>I hope this helps.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Wade</P> Tue, 16 Jun 2020 22:10:10 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/333718#M116 wprice 2020-06-16T22:10:10Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/415256#M202 <P>Hi Wade,</P><P>&nbsp;</P><P>I understand that Prisma will advertise the User Mobile IP Pool prefixes using the previously mentioned Community Strings over BGP Peering Sessions inside the Service Connection. There will be in&nbsp;region a Primary Tunnel and Secondary with Tertiary Tunnels in another region. Is there a way for Prisma to signal over the various BGP Peerings which Tunnel is the Primary Tunnel in an effort to avoid asymmetric routing?</P><P>&nbsp;</P><P>Thanks&nbsp;</P><P>&nbsp;</P><P>Paul.</P><P>&nbsp;</P> Fri, 25 Jun 2021 14:56:57 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/bgp-community-settings-for-prisma/m-p/415256#M202 Paul_Timmons 2021-06-25T14:56:57Z