- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-07-2020 08:34 PM
Hi all,
i have some questions regarding community settings because we use this in our org to influence routes selection.
Based on this document "https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-pris..."
1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region?
2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?
3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.
06-15-2020 10:39 AM
Hi Charles,
Here are replies inline to your questions:
1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region?
The routes are Mobile User User pool addresses you have onboarded in certain regions. We will split up those larger pools into /24 blocks and tag then with the Prisma Access AS number /Community Strings (65534:x). The X/Y/Z is per Service Connection. You can say "regional" yes.
2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?
The community string tag it is using is an ID of the active FW for the original active Service Connection Firewall.
3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.
You can see the ID's in Panorama Managed Prisma Access GUI page:
06-15-2020 05:53 PM
Hi Wade,
Thanks for replying.
Just further question on the point 3 with regards to Remote Network sites. I do see the community setting based on the BGP status of the remote network. But on my CPE peering with service connections, i checked the BGP prefixes advertised by these remote sites, i do not see the community tag on it like what i've seen on the mobile user prefixes.
Is that the case it should be?
06-16-2020 03:10 PM
Hi Charles,
We do not tag the Remote Network prefixes with a community string, because we fully mesh the RNs to each Service connection. If all you want to do is identify which routes are RN's you can tag them by advertising them from the branch with a global or regional community string tag and we will advertise / preserve them to the SC with those Community value tags. If you want to identify which regions are which routes, you can advertise specific community tags for specific "regions" or "Geos".
I hope this helps.
Thanks,
Wade
06-25-2021 07:56 AM
Hi Wade,
I understand that Prisma will advertise the User Mobile IP Pool prefixes using the previously mentioned Community Strings over BGP Peering Sessions inside the Service Connection. There will be in region a Primary Tunnel and Secondary with Tertiary Tunnels in another region. Is there a way for Prisma to signal over the various BGP Peerings which Tunnel is the Primary Tunnel in an effort to avoid asymmetric routing?
Thanks
Paul.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!