Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Nominated Discussion: How to Implement BGP and eBGP on Palo Alto Networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member
No ratings

This article is based on a discussion, "How to implement BGP and eBGP on Palo". Read on to see @rkvsenthil's guidance on configuring BGP below.

 

Hi,

I am migrating WatchGuard to Palo and there seems to be a lot more configuration options on the Palo. 

 

WatchGuard configuration is below. What is the best way to configure this within Palo?

Where is the option to set default-originate?

 

router bgp 64801
bgp router-id 169.254.3.3
timers bgp 4 12
neighbor 10.200.34.2 remote-as 64601
neighbor 10.200.34.3 remote-as 64601
neighbor 10.200.52.2 remote-as 64601
neighbor 10.200.52.3 remote-as 64601
neighbor 10.200.64.130 remote-as 64601
neighbor 10.200.64.131 remote-as 64601
neighbor 10.200.34.2 default-originate
neighbor 10.200.34.3 default-originate
neighbor 10.200.52.2 default-originate
neighbor 10.200.52.3 default-originate
neighbor 10.200.64.130 default-originate
neighbor 10.200.64.131 default-originate
neighbor 10.200.34.2 ebgp-multihop 4
neighbor 10.200.34.3 ebgp-multihop 4
neighbor 10.200.52.2 ebgp-multihop 4
neighbor 10.200.52.3 ebgp-multihop 4
neighbor 10.200.64.130 ebgp-multihop 4
neighbor 10.200.64.131 ebgp-multihop 4

 

BGP Config template:

 

For default-originate -- In GUI,, go to Network -- Virtual Router --  <VR name or default> --- BGP --- Redist Rule and  add a Redistribution rule for ip subnet 0.0.0.0/0 and enable "Allow Redistribute Default route" option ..

 

Also,, use the below config example as template. This should give you clues on how and where, you can change the timer settings and TTL value (ebgp-multihop), etc..

 

admin@PAFW1> configure

set network virtual-router default protocol bgp enable yes
set network virtual-router default protocol bgp routing-options graceful-restart enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp remove-private-as no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp import-nexthop original
set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp export-nexthop resolve
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-address ip 10.0.18.2
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection remote-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection local-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options multihop 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options keep-alive-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options open-delay-time 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options hold-time 90
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options idle-hold-time 15
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options min-route-adv-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier unicast yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier multicast no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address ip 10.0.18.1/30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address interface ethernet1/1
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 bfd profile Inherit-vr-global-setting
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 max-prefixes 5000
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-as 64513
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-mp-bgp no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 address-family-identifier ipv4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-sender-side-loop-detection no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 reflector-client non-client
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peering-type unspecified
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-address ip 100.100.100.1
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection remote-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection local-port 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection allow yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options multihop 4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options keep-alive-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options open-delay-time 0
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options hold-time 90
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options idle-hold-time 15
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options min-route-adv-interval 30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier unicast yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier multicast no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address ip 192.168.102.2/30
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address interface ethernet1/2
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 bfd profile Inherit-vr-global-setting
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 max-prefixes 5000
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-as 64512
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-mp-bgp no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 address-family-identifier ipv4
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-sender-side-loop-detection no
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 reflector-client non-client
set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peering-type bilateral
set network virtual-router default protocol bgp peer-group stub_ebgp_peers aggregated-confed-as-path yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers soft-reset-with-stored-info yes
set network virtual-router default protocol bgp peer-group stub_ebgp_peers enable yes
set network virtual-router default protocol bgp reject-default-route no
set network virtual-router default protocol bgp allow-redist-default-route yes
set network virtual-router default protocol bgp router-id 192.168.102.2
set network virtual-router default protocol bgp local-as 65535
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 address-family-identifier ipv4
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 enable yes
set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 set-origin incomplete
set network virtual-router default protocol bgp policy export rules default-route-only action allow update as-path none
set network virtual-router default protocol bgp policy export rules default-route-only action allow update origin incomplete
set network virtual-router default protocol bgp policy export rules default-route-only action allow update community none
set network virtual-router default protocol bgp policy export rules default-route-only action allow update extended-community none
set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact no
set network virtual-router default protocol bgp policy export rules default-route-only match route-table unicast
set network virtual-router default protocol bgp policy export rules default-route-only used-by stub_ebgp_peers
set network virtual-router default protocol bgp policy export rules default-route-only enable yes
[edit]
admin@PAFW1# commit
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
..........100%
Configuration committed successfully
[edit]
admin@PAFW1# run show routing protocol bgp rib-out

VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path
0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535
192.168.100.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512
192.168.101.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512
0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535
5.5.5.5/32 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535,64513

total routes shown: 5

[edit]
admin@PAFW1# set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact yes

[edit]
admin@PAFW1# commit
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
..........100%
Configuration committed successfully

[edit]
admin@PAFW1# run show routing protocol bgp rib-out

VIRTUAL ROUTER: default (id 1)
==========
Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path
0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535
0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535

total routes shown: 2

 

 

 

If you need the BGP learned best routes to be installed in the routing table, add this from CLI.

 

[edit]
admin@PAFW1# set network virtual-router default protocol bgp install-route yes

[edit]
admin@PAFW1#commit
[edit]
admin@PAFW1# run show routing route type bgp

 

 

Rate this article:
  • 3043 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Article Dashboard
Version history
Last Updated:
‎12-20-2022 10:11 AM
Updated by: