- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-19-2020 04:50 AM - edited 12-19-2020 04:52 AM
Hi,
Does Palo Alto support Cisco BGP neighbor x.x.x.x local-as yyyy feature? or there is any way to achieve the same (Palo Alto FW has a local ASN, but it uses another local ASN just for a specific neighbor)
Thanks!
12-19-2020 12:12 PM
Are you looking for some CLI command like below ?
t network virtual-router NetGear protocol bgp
+ allow-redist-default-route allow redistribute default route to BGP
+ ecmp-multi-as Support multiple AS in ECMP
+ enable enable
+ enforce-first-as Enforce First AS for EBGP
+ install-route Populate BGP learned route to global route table
+ local-as local AS number
+ reject-default-route do not learn default route from BGP
+ router-id router id of this BGP instance
> auth-profile BGP authentication profiles
> dampening-profile route flap dampening profiles
> peer-group peer group configuration
> policy BGP routing policy configuration
> redist-rules redistribution rules for export through BGP
> routing-options routing instance options
<Enter> Finish input
Regards
01-02-2021 01:18 PM
Hi MP18,
thanks for the message.
No, I was looking for a feature support, but I have done a workaround as it seems unsupported.
Thanks.
Banksants
10-07-2021 04:15 AM
Could you suggest what workaround you did on palo alto firewall to achieve local as thing.
02-25-2025 09:15 AM
anyone who was able to achieve this local-as config through panorama
02-25-2025 12:27 PM - edited 06-23-2025 10:50 AM
EDIT: This post is wrong. Please ignore.
Hi all,
This feature is available with the Advanced Routing Engine, but that is a big change to make.
Thanks,
Tom
03-12-2025 10:38 AM - edited 06-23-2025 10:45 AM
By the way,
You should be able to have multiple local ASNs with virtual routers (VRs). You can then enable BGP between the VRs. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIpCAK
I am going to do this with a customer and report back. EDIT: This worked great. The one neighbor that required a different ASN is peered on a new VR.
Thanks,
Tom
06-23-2025 09:16 AM
No it's not. This is not the same as defining your local ASN at the base level of your BGP instance. The "Local-AS" feature is essentially a way to masquerade your instance ASN as another ASN. For example, if your instance's ASN is 65100 and you need to peer with someone that is using 65100 for another peering they have, or they require using a non-private ASN, you can use the "Local-AS" feature to alter your ASN specifically for that peering without changing your instance ASN and breaking any other peerings you have. Palo Alto PAN-OS does not support this feature.
06-23-2025 09:35 AM
Hi @JessePeden ,
Palo Alto PAN-OS does not support this feature.
Did you see the URL I posted above? It should be supported in the Advanced Routing Engine.
No it's not. This is not the same as defining your local ASN at the base level of your BGP instance.
I know what local-as means and what it does. Creating a new VR with a new BGP ASN will allow you to configure the new peering with the neighbor that requires the different ASN. All the original neighbors remain on the old VR. This is an effective workaround. I just did it with a customer. You can enable BGP between the VRs to facilitate routing.
Thanks,
Tom
06-23-2025 10:06 AM - edited 06-23-2025 10:10 AM
Did you see the URL I posted above? It should be supported in the Advanced Routing Engine.
I'm aware of the Advanced Routing Engine and have it enabled on every PA setup I manage right out of the gate. The feature is not there, and I'm not sure where you're getting the info as it's not mentioned in the article you linked (unless I missed it somehow - maybe you can share the exact line mentioning it).
Creating a new VR with a new BGP ASN will allow you to configure the new peering with the neighbor that requires the different ASN. All the original neighbors remain on the old VR. This is an effective workaround. I just did it with a customer. You can enable BGP between the VRs to facilitate routing.
I'm sure that works fine as a workaround, and I had made no mention of it in my original response - only that of the "local-as" feature being non-existent in PAN-OS (in both the LRE and ARE). I'm in a situation where I'll either need to look into doing the same thing, though, or do my peering on the Cisco switches instead of the PA units if I can't get BGP working in a separate logical router.
06-23-2025 10:49 AM
Hi @JessePeden ,
You are right. It is not in the URL, and therefore not supported by Palo Alto. I thought I saw it there but was mistaken. I will delete that post if I can.
Thanks,
Tom
06-23-2025 11:01 AM
Dang. I was hoping that I was the one that was wrong, truthfully, as there's zero reason (in my book) for Palo Alto not to support that feature.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!