>
    Configure Dynamic Routing in CN-Series HSF
    Focus
    Download PDF
    Focus
    1. Home
    2. CN-Series
    3. CN-Series HSF
    4. Configure Dynamic Routing in CN-Series HSF
    Download PDF
    CN-Series

    Configure Dynamic Routing in CN-Series HSF

    Table of Contents

    Configure Dynamic Routing in CN-Series HSF

    Configure BGP and BGP over BFD dynamic routing protocols in your CN-Series HSF cluster.
    Where Can I Use This?What Do I Need?
    • CN-Series HSF firewall deployment
    • Panorama running with minimum PAN-OS 11.1 version
    CN-Series Hyperscale Security Fabric (HSF) now introduces dynamic routing through BGP and BGP over BFD protocols. Using dynamic routing, you can attain stable, high-performing, and highly available layer 3 routing through profile-based filtering lists and conditional route maps which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.
    BGP looks for the available paths that data could travel and picks the best route, based on IP prefixes that are available within autonomous systems. The Bidirectional Forwarding Detection (BFD) configuration manages the CN-GW pods and path failures.
    To enable dynamic routing, you will need to configure the Panorama and the CN-Series HSF cluster. You will need at least 2 CN-MGMTs, 2 CN-NGFWs, 2 CN-DBs and 1 CN-GW in the cluster. The BGP peering is configured between the CN cluster and the external router.
    On the CN-Series HSF, the dynamic routing will be supported on PANOS 11.x.x. For information on obtaining PAN-OS 11.0, see Get the Images and Files for the CN-Series Deployment.
    In the Panorama, you will need to configure the device groups and manage the HSF cluster through the device group. To configure the HSF cluster, see Deploy the HSF Cluster.
    To configure BGP on the HSF cluster, you will need to perform the following steps:
    1. Enable advanced routing.
    2. Configure a logical router.
    3. Create a static route for CN-GW loopback interface.
    4. Configure BGP on an advanced routing engine.
      1. Currently, only IPv4 is supported on BGP routing.
      2. While creating a peer, ensure that you create a loopback session and provide a loopback IP address for each CN-GW in the Addressing tab.
    5. (optional) Create BGP routing profiles for authentication, timers, address families, dampening, route redistribution to BGP, and BGP filtering.
    6. (optional) Create filters for the advanced routing engine, such as access lists, prefix lists, AS Path access lists, community lists, and route maps.
    7. Click Commit to Panorama. After the configuration is committed to Panorama, BGP will be configured to each CN-GW.
    To check BGP status, login to CN-MGMT and execute the following commands:
    • show advanced-routing bgp summary
    • show advanced-routing bgp peer status
    • show advanced-routing bgp peer details
    To check BFD status from CN-MGMT, execute the following commands
    • show advanced-routing bfd summary
    • show advanced-routing bfd details

    © 2024 Palo Alto Networks, Inc. All rights reserved.