About Charles-SFG

Alexander,   Thank you for your response.    “Can you clarify what is your concern? Did I understand you correctly that you asking how to configure the BGP without actually using the bgp routes and during maintenance window to switch to the BGP routing?”   My concern is migrating to our new EBGP and new IP space without any downtime. So we need to be able to verify test traffic passes through the BGP before migrating production traffic to it. For inbound traffic both the old IPs and new IPs will need to be accessible while DNS propagates. Some business partners may also have hardcoded or host entries for our IP for their API requests, even though they shouldn’t. I understand that enabling ECMP restarts the router so ECMP will need to be done during a maintenance window.   Having never done this before and not finding any documentation that matches what we plan to do makes it harder to plan.   “Another question - the two peers, are they both external for your firewall? Am I guessing correctly that the two peers are just for resilience and you will receive the same routes from both and you need to advertise same routes to both (but with different metric)?”   Yes, the two peers are to the same ISP via different fiber paths for resilience.   “When you are configuring the BGP you can leave the option "Install Routes" unchecked (I believe this is off by default) - As you can see from this document when this option is not checked FW will bring the BGP peering up, it will receive and advertise any routes from peers, but the received routes are not installed in the RIB.” and “Which effectively allow you to test the BGP peering and what is received from the peers, without affecting the current routing and using the old path.”   This sounds like a good first step to verify the peers are configured properly. After that we will need to send some test traffic over it. Thanks for the link. Thank you, Charles ... View more

Thank you for your reply.   When we switched to PaloAlto several years ago we contracted the installation. PBF never worked so we removed it entirely in preparation for BGP.   Would we do the following? add the BGP interface routes to the VR with a high metric so normal traffic will never hit it create a PBF rule with one internal IP (Test System) as the source and egress on one of the new BGP interfaces create a Policy Rule from the Test System to any IP in the BGP zone  Am I correct in thinking it would do the following? the PBF would force traffic from the Test System to use the route for the BGP interface in the VR the BGP interface is in the BGP zone so it would match the new Polcy Rule because it matched the Test System, BGP zone and destination Thanks again for your help. ... View more

Agreed.   Opened a case with PA. They say it will be addressed in PANOS 9. Not sure what year that will happen so we ended up turning the listener off in Interface Management.  We have a 3020 and 2050. They aren't releasing PANOS 8 for the 2050 even though the 2050 is supported for a couple more years! Who knows whether they will do the same with the 3020 and PANOS 9. "Supported" should mean "PA will fix CVEs regardless of PANOS version."  ... View more

I agree that it would be better to remove 3DES ciphers from the supported cipher list.   Can you even apply SSL/TLS service profiles against the integrated User-ID listening on the management interface of the PA firewall? ... View more