I am not a network engineer by no means and have setup basic BGP in the past with various peers with the peers being the source of truth for all routes.
I have a situation were our primary firewall has been using static routes for everything, default to internet, specific to DMZ, and all others to internal core switches. With the core switches having a default route pointing to the firewall.
The firewall has BGP setup to several of our Cloud solutions, and only being distributed to the firewall.
We not want to enable BGP between the core switches and the firewall. The network team wants the Firewall to redistribute all its static routes to the core switches, with a few exceptions. At the same time we need to distribute the same static routes to our Prisma, while denying specific ones to both the core and Prisma and the Cloud (ie. aws). I know we need to setup a redistribution profile to include all local static routes we want to advertise. Then setup export rules. This is were I have been having some issues, on the best way to implement these exports rules. If I use a permit rule for prisma and core, then I would need to include all the static routes, all the routes that would be learning from the cores and the routes learning from the existing Cloud. Then was thinking maybe using just a deny rule to restrict the learned routes, whether from local static or core, making so everything else being distributed to everywhere else (i.e. core, prisma etc). Any guidance would be helpful... Thank you
Hi @DavidMaas1 ,
It seems you are going in the right direction. First think I want to point out (I always start with this after it bit me in the past...) - By default firewall will receive and advertise (import and export) any rule that is in the BGP process - implicit allow. By once you create one rule for given peer, FW will switch to implicit deny - meaning that anything that is not matched by the rule you have configured for that peer will be denied (this is valid for both import and export).
So for me this boils down to two options:
- Create allow rules and list the networks you want to import/export. Deny everything else with the implicit deny
- Create allow all rule and create deny rules for the specific networks you don't want to import/export above the "allow-all".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!