Overview
PAN-OS only supports BGP filtering using extended communities with hexadecimal values. For example, if a BGP route contains an extended community such as 1:65001:65001,or 0x0001FDE90000FDE9 then users must use the hexadecimal value 0001FDE90000FDE9 for route filtering.
See this sample output:
show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: default (id 1)
==========
----------
Prefix: 192.168.152.0/24 *
Nexthop: 10.193.16.51
Received from: Peer 51 (id 1)
Originator ID: 10.193.16.152
AS Path:
Origin: N/A
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 1234:1234,
Extended community: 0001FDE90000FDE9(type (0x0001), Flags []),
Clusters: 51.16.193.10
The proper configuration for filtering the route looks like this:
Review this document for more details on how to filter routes on Palo Alto Networks Firewalls: Understanding Route Redistribution and Filtering
owner: npoprzen