How to implement BGP and eBGP on Palo

LimaSupport — Fri, 16 Dec 2022 09:23:38 GMT

Hi,

I am migrating WatchGuard to Palo and there seems to be a lot more configuration options on the Palo.

WatchGuard configuration is below. What is the best way to configure this within Palo?

Where is the option to set default-originate?

router bgp 64801
bgp router-id 169.254.3.3
timers bgp 4 12
neighbor 10.200.34.2 remote-as 64601
neighbor 10.200.34.3 remote-as 64601
neighbor 10.200.52.2 remote-as 64601
neighbor 10.200.52.3 remote-as 64601
neighbor 10.200.64.130 remote-as 64601
neighbor 10.200.64.131 remote-as 64601
neighbor 10.200.34.2 default-originate
neighbor 10.200.34.3 default-originate
neighbor 10.200.52.2 default-originate
neighbor 10.200.52.3 default-originate
neighbor 10.200.64.130 default-originate
neighbor 10.200.64.131 default-originate
neighbor 10.200.34.2 ebgp-multihop 4
neighbor 10.200.34.3 ebgp-multihop 4
neighbor 10.200.52.2 ebgp-multihop 4
neighbor 10.200.52.3 ebgp-multihop 4
neighbor 10.200.64.130 ebgp-multihop 4
neighbor 10.200.64.131 ebgp-multihop 4

Re: How to implement BGP and eBGP on Palo

rkvsenthil — Tue, 20 Dec 2022 11:16:59 GMT

For default-originate -- In GUI,, go to Network -- Virtual Router -- <VR name or default> --- BGP --- Redist Rule and add a Redistribution rule for ip subnet 0.0.0.0/0 and enable "Allow Redistribute Default route" option ..

Also,, use the below config example as template. This should give you clues on how and where, you can change the timer settings and TTL value (ebgp-multihop), etc..

admin@PAFW1> configure

set network virtual-router default protocol bgp enable yes
set network virtual-router default protocol bgp routing-options graceful-restart enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp remove-private-as no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp import-nexthop original
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp export-nexthop resolve
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-address ip 10.0.18.2
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection remote-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection local-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options multihop 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options keep-alive-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options open-delay-time 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options hold-time 90
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options idle-hold-time 15
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options min-route-adv-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier unicast yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier multicast no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address ip 10.0.18.1/30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address interface ethernet1/1
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 bfd profile Inherit-vr-global-setting
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 max-prefixes 5000
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-as 64513
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-mp-bgp no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 address-family-identifier ipv4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-sender-side-loop-detection no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 reflector-client non-client
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peering-type unspecified
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-address ip 100.100.100.1
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection remote-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection local-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options multihop 4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options keep-alive-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options open-delay-time 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options hold-time 90
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options idle-hold-time 15
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options min-route-adv-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier unicast yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier multicast no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address ip 192.168.102.2/30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address interface ethernet1/2
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 bfd profile Inherit-vr-global-setting
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 max-prefixes 5000
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-as 64512
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-mp-bgp no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 address-family-identifier ipv4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-sender-side-loop-detection no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 reflector-client non-client
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peering-type bilateral
set network virtual-router default protocol bgp peer-group stub_ebgp_peers aggregated-confed-as-path yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers soft-reset-with-stored-info yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers enable yes
set network virtual-router default protocol bgp reject-default-route no
set network virtual-router default protocol bgp allow-redist-default-route yes
set network virtual-router default protocol bgp router-id 192.168.102.2
set network virtual-router default protocol bgp local-as 65535
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 address-family-identifier ipv4
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 enable yes
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 set-origin incomplete
set network virtual-router default protocol bgp policy export rules default-route-only action allow update as-path none
set network virtual-router default protocol bgp policy export rules default-route-only action allow update origin incomplete
set network virtual-router default protocol bgp policy export rules default-route-only action allow update community none
set network virtual-router default protocol bgp policy export rules default-route-only action allow update extended-community none
set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact no
set network virtual-router default protocol bgp policy export rules default-route-only match route-table unicast
set network virtual-router default protocol bgp policy export rules default-route-only used-by stub_ebgp_peers
set network virtual-router default protocol bgp policy export rules default-route-only enable yes
[edit]
admin@PAFW1# commit
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
..........100%
Configuration committed successfully
[edit]
admin@PAFW1# run show routing protocol bgp rib-out

VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path
0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535
192.168.100.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512
192.168.101.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512
0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535
5.5.5.5/32 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535,64513

total routes shown: 5

[edit]
admin@PAFW1# set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact yes

[edit]
admin@PAFW1# commit
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
..........100%
Configuration committed successfully

[edit]
admin@PAFW1# run show routing protocol bgp rib-out

VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path
0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535
0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535

total routes shown: 2

Re: How to implement BGP and eBGP on Palo

rkvsenthil — Tue, 20 Dec 2022 11:34:56 GMT

BTW,, if you need the BGP learned best routes to be installed in the routing table, add this from CLI.

[edit]
admin@PAFW1# set network virtual-router default protocol bgp install-route yes

[edit]
admin@PAFW1#commit
[edit]
admin@PAFW1# run show routing route type bgp

topic Re: How to implement BGP and eBGP on Palo in General Topics

How to implement BGP and eBGP on Palo

Re: How to implement BGP and eBGP on Palo

Re: How to implement BGP and eBGP on Palo