08-23-2021 04:09 PM
Hi there,
you cannot create an equivalent prefix-list / route-map combination in PANOS. Your best option would be to tag the host routes with a particular community string and use an import policy on the firewall to deny those prefixes.
!
ip prefix-list FOO-OUT seq 10 permit 0.0.0.0/0 ge 32
!
route-map PA01 permit 10
match ip address prefix-list FOO-OUT
set community 65000:999
!
route-map PA01 permit 20
set community 65000:1
!
router bgp 65000
bgp log-neighbor-changes
neighbor 192.168.100.1 remote-as 65001
!
address-family ipv4
network 100.0.0.1 mask 255.255.255.255
network 192.168.101.0 mask 255.255.255.252
neighbor 192.168.100.1 activate
neighbor 192.168.100.1 send-community
neighbor 192.168.100.1 route-map PA01 out
exit-address-family
!
Now under normal circumstances we can see both prefixes on the Palo, with the different community strings:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: WAN (id 2)
==========
----------
Prefix: 100.0.0.1/32 *
Nexthop: 192.168.100.2
Received from: Peer ISP01 (id 1)
Originator ID: 0.0.0.0
AS Path: 65000
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65000:999
----------
Prefix: 192.168.101.0/30 *
Nexthop: 192.168.100.2
Received from: Peer ISP01 (id 1)
Originator ID: 0.0.0.0
AS Path: 65000
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65000:1
So now we create an import policy, two parts, first to drop prefixes with community 65000:999 and the second to allow everything else:
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 action deny
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match community regex 65000.999
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match route-table unicast
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 used-by ISP
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 enable yes
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update as-path none
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update community none
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update extended-community none
set network virtual-router WAN protocol bgp policy import rules everything_else match route-table unicast
set network virtual-router WAN protocol bgp policy import rules everything_else used-by ISP
set network virtual-router WAN protocol bgp policy import rules everything_else enable yes
Commit the config and check to the local RIB:
admin@PA-VM> show routing protocol bgp loc-rib-detail
VIRTUAL ROUTER: WAN (id 2)
==========
----------
Prefix: 192.168.101.0/30 *
Nexthop: 192.168.100.2
Received from: Peer ISP01 (id 1)
Originator ID: 0.0.0.0
AS Path: 65000
Origin: IGP
MED: 0
Local Preference: 100
Atomic aggregate: no
Aggregator AS: 0
Aggregator ID: 0.0.0.0
Weight: 0
Flap: value 0.00, count 0
Community: 65000:1
Hope that helps.
cheers,
Seb.
