topic Re: BGP AS-Path allow in General Topics

BGP AS-Path allow

a.jones — Tue, 11 Oct 2022 14:43:21 GMT

Hi All,

I suspect the answer to this is in the Advanced Routing in PanOS 10.

We have configured a new system as Active-Active and BGP. The firewalls are in different DCs, the DMZ side of the firewall can talk to routers in both DCs but only its local router on the WAN side. If one DC goes down, the other firewall with a less favourable route from said DC would route for the named subnets. The requirement is to advertise the AS Number from the system on the DMZ to the WAN network so that the WAN router has both firewall and DMZ AS-Numbers for the return path and vice versa in the DMZ - this is so path selection can be performed within the DMZ BGP and WAN environment rather than on the firewall. Currently, the Palo Alto substitutes the AS-Number with its own AS so to make a path less favourable we need to perform AS-Prepending on certain paths.

Is there a way to achieve this on PanOS 9.1.14-h4 or is this an Advanced Routing requirement.

Regards

Adrian

Re: BGP AS-Path allow

rmfalconer — Wed, 12 Oct 2022 16:02:15 GMT

So are you looking for the PA to prepend AS to the path? That's definitely possible in any version of PAN-OS. Export rule actions have specific AS path options for prepend, remove and remove + prepend.

Re: BGP AS-Path allow

a.jones — Thu, 13 Oct 2022 10:31:17 GMT

Hi,

I understand how to prepend the AS. What I was questioning was can the received AS seen in the Local RIB be included in the export and not replaced as we are seeing. So the connecting router path check would see the AS Number of the device behind the firewall rather than just the firewall.

Re: BGP AS-Path allow

rmfalconer — Thu, 20 Oct 2022 20:19:08 GMT

With eBGP, the default option when creating a peer on the PA is to remove private AS. Is eBGP being used on the PA with the other devices and other AS are private?