redistribute global protect ip pool subnet into bgp.

L3 Networker

redistribute global protect ip pool subnet into bgp.

I am running VM-500 in cluster on 8.1.4 . I have global protect configured with ip pool of /24.

I need to redistribute this range via bgp. I can see this range in the routing table.

L7 Applicator

If the subnet is in the local routing table we can distribute it via a bgp peer. 

Is this iBGP or eBGP

What is the current redsitribution rules you have on the peering?

Where do you see the route learned and where is it missing?


Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L4 Transporter

Yes you can.


There are actually two ways to accomplish this:

  1. Using redistribtion profile
    1. Configure redistribution profile which should matach your IP pool: Network -> Virtual-Router -> edit your VR -> Redistribution profile
    2. Select source type connec and destination your IP pool prefix
    3. Set redistribure (the radio button on the top right) to Redist
    4. Tell the BGP to use this profile: Network -> Virtual-Route -> edit your VR -> BGP -> Redist Rules
    5. Add new rule and under "name" select your redistribution profile from the drop-down menue
    6. If you are using BGP EXPORT rules, make sure that your GP IP pool is added to the allow export rule
  2. Without redistribution profile
    1. Add the GP IP Pool straight to the BGP Redist Rules, without creating redistribution profile
    2. Add new rule and under "Name" put your GP IP pool range (do not select anything from drop-down, just type your prefix)
    3. Again make sure your BGP EXPORT rules are allowing the GP IP pool


Using redistribution profile gives you an option to advertise any prefix that is already in your routing table - static, directly connected, or dynamically learned from different routing protocol.


Howeve you can advertise any prefix even if it is not in your routing table. If you create BGP redistribution rule, without redistribution profile (just typing the prefix), the firewall will first create "dummy" or internal route for this network and then advertise it over BGP. The disatvantage of this approach is that the intrernal route will always be in the routing table and firewall will alway adv. via BGP, while if you are using redistribution profile matching some static routes it will stop adv. the route if the static is removed from the routing table (interface down or etc.)



I would suggest you to use the redistribution profile, that way the firewall will not require to create the additional internal route. If you create the redist. rule without profile you will have two routes for the GP IP pool (one as connected to the tunnel interface and one as internal "~")

L1 Bithead

Please make sure you are adding respetive interfaces in redistribution profile to advertise from BGP.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!