eBGP between remote Palo Alto devices.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

eBGP between remote Palo Alto devices.

L3 Networker

Folks,

Similar to Cisco routers we are checking if we can form remote eBGP neighbors between Palo Altos located in different DC's.

One PA is located in DC-01 and the second is located in DC-02

 

We are looking at this design to as both these Palo's form BGP on a IPSec tunnel to a customer location. As of now the failover is manual and we should be able to automate that is we can get a eBGP setup between these 2 firewalls.

 

Any suggestion on the eBGP part?

 

Regards,

N!

4 REPLIES 4

L3 Networker

Hi there,

Creating an IPsec tunnel and forming an eBGP adjacency between the tunnel endpoints is an easy design to implement. Do you have any further topology requirements we can work with?

 

cheers,

Seb.

Hello,

Sorry for the delayed response. 

 

Will eBGP Multihop also work? i.e. without creating a IPSec tunnel

Other than BGP peering no other requirements we have

 

 

Thanks!!

N.

L3 Networker

Yes, if the FWs are not connected on the same L3 link between the DCs, then if using eBGP, multi-hop will need to be configured (remember iBGP doesn't require multi-hop. Do your DCs really need to be seperate autonomous systems?).

Is the L3 network between the DCs for you exclusive use or is it at all shared? If the latter, then it would be advisable to create an IPSec tunnel between them for security purposes.

 

cheers,

Seb.

Cyber Elite
Cyber Elite

Hi @nson2139 

 

thank you for posting question.

 

I would like to comment on this: "Other than BGP peering no other requirements we have"

 

BGP does not route by itself and requires underlying routing to provide reachability to establish BGP peering unless you are peering between directly connected interfaces. In Palo Alto Firewalls you can provide routing to establish BGP either by using static route or by advertising an interface to OSPF. The default route can't be used to establish BGP peering. It should be at least /1 route. This is the only requirement if you are deploying eBGP multihop. The rest depends on your configuration.

 

The rest was already covered in previous posts, however if you have either design or configuration specific question, could you please provide more details? I have hands on experience with running BGP over IPsec as well as directly between devices and hopefully can cover the answer.

 

Kind Regards

Pavel

 

 

Help the community: Like helpful comments and mark solutions.
  • 2870 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!