Support FAQ

Support FAQ on LIVEcommunity is where customers can find answers to their most common queries, in collaboration with Palo Alto Networks Knowledge Base.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
About Support FAQ
This Support FAQ on LIVEcommunity is where customers can find answers to their most common queries. In collaboration with KnowledgeBase, this Support FAQ offers guides and comprehensive resources to help address questions or concerns with ease. We’re dedicated to providing accessible solutions.
Featured Article
Most days, BGP runs quietly in the background. BGP advertises routes that keep your WAN, VPN, cloud environments, and public services connected and reachable. Until it doesn’t. And when BGP breaks, it’s not just a routing issue, it’s unreachable services and frustrated users.   This guide will help you troubleshoot BGP on Palo Alto Networks firewalls, so you can quickly identify the problem and get traffic flowing again.   Understand the Basics: Is It You or Them? Before diving deep into logs and captures, start by asking: Is this a new BGP configuration that never came up, or an existing session that suddenly stopped working? Is the problem BGP-related or does it point to a larger connectivity or firewall policy issue?  Many BGP issues boil down to basic reachability, misconfigurations, or route filtering errors. Let’s walk through how to systematically rule those out.    Start with the Transport Before you jump to BGP configurations, always remember that BGP won't even attempt to negotiate unless the underlying TCP session (port 179) can be established. If the basic IP reachability or session is broken, BGP will stay silent. Check Interfaces and Zones: Confirm the interface is physically up, has the correct assigned IP, and is placed in the intended zone. Ensure the virtual router routing table has the correct next-hop to the peer.   Ping the Peer IP (Basic Reachability Check): Verify your firewall can reach the BGP neighbor IP from the correct interface and virtual router. This also validates that the firewall’s routing table has a path to the BGP neighbor. Review Security Policies: Confirm you are explicitly allowing the BGP App-ID (TCP/179) in both directions: From the local zone to the BGP peer’s zone. From the BGP peer’s zone to the local zone.   Always start by verifying Layer 3 and Layer 4 connectivity, before diving into BGP-level config. Check this helpful KB on learning about BGP Neighbor Adjacency.    Check BGP Session Status Once you’ve confirmed the underlying transport is open and reachable, your next move is to see what the BGP session is doing.    Before jumping into the CLI, you can check the System Logs in the GUI (Monitor -> Logs -> System). These logs can provide early hints about BGP negotiation failures, mismatched parameters, or TCP resets. You can filter the system logs to show events related to routing ( subtype eq routing ).    Why start with the system logs? They can quickly show if the firewall is attempting to open the BGP session. You'll often see useful error messages such as: "BGP peer x.x.x.x, Connection rejected." "BGP peer x.x.x.x, Wrong AS number." "BGP peer x.x.x.x, Hold timer expired." System logs can also confirm if your firewall is sending or receiving BGP connection attempts, or if the session is being actively torn down due to policy or config errors. Use the CLI to Confirm the Session State   After reviewing the system logs, you can validate the current BGP session state by entering show routing protocol bgp peer.   This command shows real-time status of your BGP peers. Here’s what the session states mean: Idle / Active No TCP session established. Go back and double-check transport, routing, peer IP, and security policies. Connect TCP handshake is trying but hasn't completed—this still points to possible transport or routing issues. OpenSent / OpenConfirm TCP is up and BGP messages are being exchanged, but something is preventing the session from finalizing. Check AS numbers, BGP passwords, and timer mismatches. Established Success! The session is up. If routes aren’t flowing as expected, you’ll want to investigate import/export policies or route filters.   If the CLI shows your session is stuck in Active or Connect, it’s usually still a basic connectivity or transport issue. Head back to the earlier steps to double-check transport and policy.   Review BGP Configuration (Local and Peer Settings) If your BGP session is stuck in OpenSent or OpenConfirm, or even if it's Established but routes aren’t flowing, the next step is to double-check your BGP configuration on both sides.   Key items to verify in the PAN Firewall GUI or CLI:   Local AS Number Confirm the local AS number matches what your peer expects.   On Palo Alto: Network > Virtual Routers > <VR> > BGP > General CLI: show routing protocol bgp peer <peer-IP>   Peer IP Address   Ensure the correct peer IP address is configured. Peer AS Number   The peer AS must match the remote device's local AS. Authentication (if configured) Confirm both sides have the same MD5 password.   A mismatch here will cause the session to hang in OpenSent or get rejected. On Palo Alto: Network > Virtual Routers > <VR> > BGP > Peer Group > <peer> > Authentication BGP Timers Ensure your keepalive and hold timers are aligned with the peer. Advanced Options If using multi-hop eBGP, confirm that EBGP multihop is enabled. Default is set to 1. Verify address families (IPv4, IPv6) match what the peer supports. Check for any route-reflector, route-server, or additional features that might require matching settings.   Check Route Advertisements and Filters Once your BGP session is established, confirm that routes are actually being exchanged. View Advertised and Received Routes: Go to: Network > Virtual Routers > [Your VR] > BGP > Peer Group > [Your Peer] Click on More Runtime Stats. Under RIB Out, view the routes being advertised. Under RIB In, view the routes being received. View Local Routing Table Go to: Network > Virtual Routers > [Your VR] Click More Runtime Stats. View the Routing Table tab. Review Filters and Policies Check if Export Rules (under BGP > Export Rules) are blocking intended prefixes. Review Import Rules (under BGP > Import Rules) to ensure you're not accidentally discarding routes from the peer. Confirm any Redistribution Profiles are properly set up if you're trying to redistribute static, connected, or other routes into BGP. If you're seeing routes in RIB In, but they're missing from the local routing table, check:   Administrative distances (BGP may lose to another protocol like static or OSPF). Route filtering policies. Overlapping or conflicting routes.   Wrapping It Up   BGP troubleshooting can feel overwhelming, especially when the symptoms impact critical services across WAN, VPN, and cloud environments. Break it down step by step to make it more manageable:   Start with the transport layer. Check the BGP session state. Validate key configurations. Review the routes being exchanged.   For more examples, use cases, and configuration tips, check out the Knowledge Base resource list for BGP Configuration and Troubleshooting.  
View full article
If you’ve ever worked with network security, you’ve probably encountered Network Address Translation (NAT) at some point. It’s one of those fundamental networking concepts that keeps the internet running smoothly. But why should you use NAT specifically on Palo Alto Networks ‘firewalls? Let’s break it down in a way that makes sense, especially if you're managing security policies and network architecture.
View full article
Are you seeking better control over your web traffic? This guide will walk you through the steps to create custom URL categories and integrate them into your security policies.
View full article
  • 7 Posts
  • 24 Subscriptions
Top Contributors