https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/520529#M107861 <P>Hi&nbsp;<A class="" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_self" aria-label="View Profile of Astardzhiev"><SPAN class="">Astardzhiev,</SPAN></A></P> <P>Thank you for the detailed explanation. I got a similar issue, we are&nbsp;<SPAN>&nbsp;cisco router connecting to a circuit&nbsp;running BGP&nbsp;routing to AWS primary patch,&nbsp; circuit as primary, on secondary backup path is a redundant&nbsp;pair of Palo firewalls configure with an IPsec tunnel. I want to configure BGP failover, so that if the circuit fails, BGP peering&nbsp;will route traffic to our&nbsp;Palo firewalls, bring up the IPsec&nbsp;tunnels. Would that be a simialar design that you mentioned above?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks,</SPAN></P> <P><SPAN>Lcox&nbsp;</SPAN></P> Mon, 07 Nov 2022 21:37:50 GMT lcox 2022-11-07T21:37:50Z https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/397270#M91469 <P>Hi All,</P><P>&nbsp;</P><P>We have an physical Firewall on our premise. We have Three ISP and single virtual router with ECMP enabled(Balanced Round Robin)in it.</P><P>&nbsp;</P><P>Recently we had configured Two pairs of IPsec tunnels(Pair one -Tunnel 1 and Tunnel2// Pair 2 - tunnel 3 and tunnel 4) to communicate to AWS Peer(Only one Subnet on AWS 10.x.x.x/24) using the BGP Method for successful failover.</P><P>&nbsp;</P><P>ISP 1 --&gt;Tunnel 1, Tunnel 2</P><P>ISP 2--&gt;Tunnel 3 and Tunnel 4</P><P>&nbsp;</P><P>As we had already enabled the ECMP Balanced round robin method the traffic is currently passing through tunnel 2 and tunnel 4</P><P>&nbsp;</P><P>Now we need the traffic to pass through only tunnel 1 and the traffic should pass through other tunnels only if the tunnel 1 fails. All the tunnels are configured under BGP.</P><P>&nbsp;</P><P>Thanks in advance!!!</P><P>&nbsp;</P><P>My guess is do we have some metrics mechanism which will influence the Tunnel through which the traffic will be egressed.</P><P><LI-MESSAGE title="BGP Routing Question" uid="259069" url="https://live.paloaltonetworks.com/t5/general-topics/bgp-routing-question/m-p/259069#U259069" discussion_style_icon_css="lia-mention-container-editor-message lia-img-icon-forum-thread lia-fa-icon lia-fa-forum lia-fa-thread lia-fa"></LI-MESSAGE>&nbsp;<LI-MESSAGE title="IPSec Tunnel Creation" uid="307748" url="https://live.paloaltonetworks.com/t5/quickplay-solutions-articles/ipsec-tunnel-creation/m-p/307748#U307748" discussion_style_icon_css="lia-mention-container-editor-message lia-img-icon-tkb-thread lia-fa-icon lia-fa-tkb lia-fa-thread lia-fa"></LI-MESSAGE>&nbsp;<LI-MESSAGE title="BGP Peer Configuration" uid="308334" url="https://live.paloaltonetworks.com/t5/quickplay-solutions-articles/bgp-peer-configuration/m-p/308334#U308334" discussion_style_icon_css="lia-mention-container-editor-message lia-img-icon-tkb-thread lia-fa-icon lia-fa-tkb lia-fa-thread lia-fa"></LI-MESSAGE>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 12 Apr 2021 16:50:56 GMT https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/397270#M91469 tamilvanan 2021-04-12T16:50:56Z https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/397639#M91490 <BLOCKQUOTE> <P>Hello,</P> <P>Yes you can use the PBF rule to get traffic down one tunnel rather than the other. Please make sure to use the monitor:</P> <span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="OtakarKlier_0-1618343763393.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30940i05EF29511FE5CF92/image-size/medium?v=v2&amp;px=400" role="button" title="OtakarKlier_0-1618343763393.png" alt="OtakarKlier_0-1618343763393.png" /></span> <P>&nbsp;</P> <P>And use an IP address on the other side of the tunnel for the monitor. Remember that PBF takes priority over the default router, so you have to disable this if the tunnel is down otherwise dynamic routing wont switch the traffic to the proper path.</P> <P>&nbsp;</P> <P>Regards,</P> <HR /></BLOCKQUOTE> <P>&nbsp;</P> Tue, 13 Apr 2021 19:56:11 GMT https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/397639#M91490 OtakarKlier 2021-04-13T19:56:11Z https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/398337#M91514 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/165087">@tamilvanan</a> ,</P><P>&nbsp;</P><P>I would disagree with <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp; - you don't need PBF if you already running BGP. Why would you put additional complexity if you already have dynamic routing which you can control in so many ways</P><P>&nbsp;</P><P>I don't understand what ECMP have to do in this question... I understand you use ECMP for Internet access (your default route), but on top of that we are talking about IPsec tunnels, so the routing to AWS private range as nothing to do with the ECMP (as long as you have any tunnel up <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ). So I will abstract from this.</P><P>&nbsp;</P><P>Now I understand that you are receiving the AWS prefix via BGP from all four tunnels. So all you have to do is to create import policy under the BGP. As I said with BGP you have lots of options to controll what you receive, how you receive it and what you advertise, probably the straight forward would be:<BR />- Create one import policy for BGP peer over tunnel1</P><P>- Since you receive only one prefix, you can leave "match" tab as it is (meaning match any route received from that peer</P><P>- On "action" tab put 100 as local preference (for example)</P><P>&nbsp;</P><P>- Create one more import below the previous one for BGP peer over tunnel2, 3 and 4</P><P>- Leave match tab as it is</P><P>- On "action" tab put 200 for local preference</P><P>&nbsp;</P><P>This way your firewall will receive same prefix over all four tunnel, but it will prefer the route over tunnel1. If this tunnel fail, BGP peering will also fail and fw will stop receiving the prefix from tunnel1, so it will switch to the other tunnels.</P><P>&nbsp;</P><P>Now depending what you actually try to accomplish you may want to split the second import policy and have four different policy for each bgp peer with different local pref for each.</P> Thu, 15 Apr 2021 06:54:42 GMT https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/398337#M91514 aleksandar.astardzhiev 2021-04-15T06:54:42Z https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/520529#M107861 <P>Hi&nbsp;<A class="" href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130" target="_self" aria-label="View Profile of Astardzhiev"><SPAN class="">Astardzhiev,</SPAN></A></P> <P>Thank you for the detailed explanation. I got a similar issue, we are&nbsp;<SPAN>&nbsp;cisco router connecting to a circuit&nbsp;running BGP&nbsp;routing to AWS primary patch,&nbsp; circuit as primary, on secondary backup path is a redundant&nbsp;pair of Palo firewalls configure with an IPsec tunnel. I want to configure BGP failover, so that if the circuit fails, BGP peering&nbsp;will route traffic to our&nbsp;Palo firewalls, bring up the IPsec&nbsp;tunnels. Would that be a simialar design that you mentioned above?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks,</SPAN></P> <P><SPAN>Lcox&nbsp;</SPAN></P> Mon, 07 Nov 2022 21:37:50 GMT https://live.paloaltonetworks.com/t5/general-topics/prioritizing-an-bgp-route-over-other-bgp-routes-for-ipsec-tunnel/m-p/520529#M107861 lcox 2022-11-07T21:37:50Z