Redistribute Route to GlobalProtect with BGP

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Redistribute Route to GlobalProtect with BGP

L2 Linker


We have a internal network that is connected to our Amazon AWS VPC. A route is successfully advertized to our AWS peer using BGP and from the local network I can reach our server instances in the VPC. AWS resources are assigned an address in the network.


After I created a remote-access VPN using Global Protect, I can reach our local network from outside the building. Remote users are assigned an address in the network.




Unable to reach our AWS resources while remotely connected to the local network using Global Protect. 


My Thoughts:


Believe I need to redistribute a route to the network assigned to GlobalProtect clients. I followed the article How to Redistribute GlobalProtect Routes into OSPF. As a result I created a 2nd Redistribution Profile within my virtual router and configured a 2nd BGP Export Rule. 


Despite this when I issue > show routing protocols bgp rib-out  only displays the original, single route to my local local network.


Any thoughts are greatly appreciated!


Thank you.


L2 Linker

Additional Info:


When I issue the command > show routing fib I expected to see a single entry for GlobalProtect, such as


Instead I see this: 

2            u      ethernet1/2        1500
63         169.254.255.XYZ     ug     tunnel.4           1427
50        ug     tunnel.3           1500
49        ug     tunnel.3           1500
48        ug     tunnel.3           1500
46         ug     tunnel.3           1500
45         ug     tunnel.3           1500
47         ug     tunnel.3           1500
51       ug     tunnel.3           1500
52       ug     tunnel.3           1500
53       ug     tunnel.3           1500
54       ug     tunnel.3           1500
55       ug     tunnel.3           1500

Would I need to instead define these networks in my Export and Redistribution Profiles?


Follow Up:


Why would the router implement these CIDR networks instead of a large as I defined in the GUI?


Thanks Again!

Do you have proper security policy in place to allow GP user to access AWs resources? Try assiging ip address on tunnel interface give ip address to tunnel interface in the pool that you are assiging to GP client and then try to ping from tunnel interface to the AWS resources. 


Try to ping from firewall any interface to any aws resource check if the ping is working or not.

Hi @pankaku and thank you for the reply. The tunnel interfaces associated with Amazon and the LAN are assigned to the same security profile. I realize this leads to no visibility or control over the traffic and eventually want to assign the AWS tunnel interfaces to a seperate security zone.


Per your suggestion I think I understand you and wanted to summarize what you said as I go about trying what you suggested.


Try assigning an IP address from the GP address pool to the GP tunnel interface and then try pinging a resource in AWS

yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.

Also try to ping from firewall's any other interface to aws resources.

Thanks for the clarification @pankaku.

@Pankaj.kumar wrote:

yes that's correct. I will let us know if we have reachability from firewall tunnel inteface to aws resources.

Also try to ping from firewall's any other interface to aws resources.

I assigned to the AWS tunnel and tried to ping an AWS resource with no success.


However, I can ping an AWS resource from the Palo Alto internal gateway interface 


Running a packet capture I can see on the receive side ICMP traffic flowing from to 172.21.ABC.EFG and on the transmit side I see ESP traffic flowing from the PA egress interface (public IP) to the AWS resource.

L2 Linker

Here is some additional info testing the route to my AWS resources.


bob@PA-3020> test routing fib-lookup virtual-router default-vr ip

runtime route lookup
virtual-router: default-vr
via interface tunnel.4, source, metric 65434

bob@PA-3020> show routing route | match tunnel.4 0 A C tunnel.4


In the GlobalProtect Gatway --> Agent --> Client Settings I added the following Access routes


On my connected GlobalProtect VPN client I can confirm the presence of both routes         On-link    256         On-link      1         On-link    256         On-link      1         On-link    256


Let me clarify what i understand.


You are able to ping from firewall's interface but not from GP tunnel interface.


If that is correct then try following doc:

That's  absolutely right @pankaku. I will take a look at your suggestion.


Thank you again.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!