topic Re: BGP Configuration Help in General Topics

BGP Configuration Help

DavidMaas1 — Wed, 17 Feb 2021 21:46:10 GMT

I am not a network engineer by no means and have setup basic BGP in the past with various peers with the peers being the source of truth for all routes.

I have a situation were our primary firewall has been using static routes for everything, default to internet, specific to DMZ, and all others to internal core switches. With the core switches having a default route pointing to the firewall.

The firewall has BGP setup to several of our Cloud solutions, and only being distributed to the firewall.

We not want to enable BGP between the core switches and the firewall. The network team wants the Firewall to redistribute all its static routes to the core switches, with a few exceptions. At the same time we need to distribute the same static routes to our Prisma, while denying specific ones to both the core and Prisma and the Cloud (ie. aws). I know we need to setup a redistribution profile to include all local static routes we want to advertise. Then setup export rules. This is were I have been having some issues, on the best way to implement these exports rules. If I use a permit rule for prisma and core, then I would need to include all the static routes, all the routes that would be learning from the cores and the routes learning from the existing Cloud. Then was thinking maybe using just a deny rule to restrict the learned routes, whether from local static or core, making so everything else being distributed to everywhere else (i.e. core, prisma etc). Any guidance would be helpful... Thank you

Re: BGP Configuration Help

aleksandar.astardzhiev — Thu, 18 Feb 2021 08:00:45 GMT

Hi @DavidMaas1 ,

It seems you are going in the right direction. First think I want to point out (I always start with this after it bit me in the past...) - By default firewall will receive and advertise (import and export) any rule that is in the BGP process - implicit allow. By once you create one rule for given peer, FW will switch to implicit deny - meaning that anything that is not matched by the rule you have configured for that peer will be denied (this is valid for both import and export).

So for me this boils down to two options:

- Create allow rules and list the networks you want to import/export. Deny everything else with the implicit deny

- Create allow all rule and create deny rules for the specific networks you don't want to import/export above the "allow-all".

Re: BGP Configuration Help

DavidMaas1 — Tue, 23 Mar 2021 20:40:21 GMT

Thank you .. that is how we went down the path, allow all and had specific denies.