08-24-2021 08:54 AM
Similar to Cisco routers we are checking if we can form remote eBGP neighbors between Palo Altos located in different DC's.
One PA is located in DC-01 and the second is located in DC-02
We are looking at this design to as both these Palo's form BGP on a IPSec tunnel to a customer location. As of now the failover is manual and we should be able to automate that is we can get a eBGP setup between these 2 firewalls.
Any suggestion on the eBGP part?
08-24-2021 02:35 PM
Creating an IPsec tunnel and forming an eBGP adjacency between the tunnel endpoints is an easy design to implement. Do you have any further topology requirements we can work with?
09-03-2021 12:10 AM
Sorry for the delayed response.
Will eBGP Multihop also work? i.e. without creating a IPSec tunnel
Other than BGP peering no other requirements we have
09-03-2021 02:47 PM
Yes, if the FWs are not connected on the same L3 link between the DCs, then if using eBGP, multi-hop will need to be configured (remember iBGP doesn't require multi-hop. Do your DCs really need to be seperate autonomous systems?).
Is the L3 network between the DCs for you exclusive use or is it at all shared? If the latter, then it would be advisable to create an IPSec tunnel between them for security purposes.
09-03-2021 03:23 PM
thank you for posting question.
I would like to comment on this: "Other than BGP peering no other requirements we have"
BGP does not route by itself and requires underlying routing to provide reachability to establish BGP peering unless you are peering between directly connected interfaces. In Palo Alto Firewalls you can provide routing to establish BGP either by using static route or by advertising an interface to OSPF. The default route can't be used to establish BGP peering. It should be at least /1 route. This is the only requirement if you are deploying eBGP multihop. The rest depends on your configuration.
The rest was already covered in previous posts, however if you have either design or configuration specific question, could you please provide more details? I have hands on experience with running BGP over IPsec as well as directly between devices and hopefully can cover the answer.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!