This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Can I manipulate routes from Prisma to a data center using BGP MED values

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience. Visit our blog to learn more.

Can I manipulate routes from Prisma to a data center using BGP MED values

dintymoore
L1 Bithead

‎01-07-2025 08:11 AM - edited ‎01-07-2025 08:32 AM

Our HQ currently uses dual ISPs for internet access and has VPN tunnels to Prisma configured across both ISP circuits as primary and secondary VPN tunnels for a single service connection.  At HQ both tunnels terminate at a Palo Alto 1420 NGFW HA pair.  We are using BGP to exchange routing information between Prisma and the 1420. On the 1420 we have 2 virtual routers running BGP instances, one for each of the Prisma VPN tunnels.  We are currently advertising the HQ networks to Prisma w/o MED values in both BGP instances and letting Prisma handle prioritizing the routes based on the status of the primary and secondary VPN tunnels.  The 2 1420 BGP instances are also neighbors with each other.

 

We need to make the current secondary tunnel our new primary tunnel and our current primary tunnel our new secondary tunnel.  This must be done non-disruptively. 

 

Here is a proposed migration scenario.  Let's call our current service connection SC-A.  We have a spare, unused Prisma service connection available to us, which I'll call SC-B.  We create SC-B and configure a primary VPN tunnel for it using the settings we currently have for SC-A's secondary VPN tunnel.  When the secondary VPN tunnel  to SC-A is deactivated and the primary VPN tunnel to SC-B is activated on the 1420 we want all Prisma traffic to flow through SC-B. 

 

Here is how I propose to do that.   In each of the 1420's BGP instances we advertise the HQ routes to Prisma with pre-assigned MED values.  To SC-A we advertise them with MED 200 and to  SC-B we advertise them with MED 100.  To ensure that traffic out to Prisma is symmetric we use BGP local preference values to send traffic to Prisma out SC-B.

 

Will Prisma honor the MED values we feed it, or will it override the MED values we provide and use its own internal logic to determine which service connection to use to get traffic to our HQ? 

 

Or maybe I'm overthinking this whole issue and there is a simpler, non-disruptive way to switch the primary and secondary VPN tunnels. 

0 Likes Likes
0 REPLIES 0
  • 78 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks