>
    Configure a BGP Filter Route Map
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Routing and Interfaces
    5. Configure Routing Profiles
    6. Configure a BGP Filter Route Map
    Download PDF
    Next-Generation Firewall

    Configure a BGP Filter Route Map

    Table of Contents

    Configure a BGP Filter Route Map

    Configure a BGP route map to apply attributes for routes that you want to control in the same way.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    One of these:
    Configure a BGP route map:
    • For the Default Originate Route-Map field of a BGP AFI Profile; the match criteria define when to generate the default route (0.0.0.0). Apply the BGP AFI profile to a BGP peer group or peer. The Match criteria can be any parameter and if there’s a match to an existing BGP route, the default route is created; the Set portion of the route map isn’t used. Instead, you can use an outbound route-map to set properties for the generated default route.
    • To set (override) BGP attributes that BGP is sending to a peer.
    • For NAT, to set Source Address and IPv4 Next Hop for a certain group of prefixes you’re advertising, enter a public IP address from the NAT pool to replace a private IP address.
    • To redistribute static, connected, or OSPF routes into BGP; then reference the BGP route map in a BGP Redistribution profile.
    • In a BGP Filtering Profile, use a BGP route map in Inbound Route Map or Outbound Route Map to filter routes that are accepted (learned) from BGP peers into the local BGP RIB (inbound) or advertised to BGP peers (outbound).
    • To conditionally advertise BGP routes in a BGP Filtering Profile, create an Exist Map, which specifies that if these conditions in the route exist, advertise the route based on an Advertise Map. Alternatively, specify that if these conditions don’t exist, advertise the route based on a Non-Exist Advertise Map.
    • In a BGP Filtering Profile, set an IPv4 Next Hop to use a public NAT address rather than a private address.
    • In a BGP Filtering Profile, use a BGP route map to unsuppress routes that were suppressed due to route dampening or aggregation.
    • To conditionally filter more specific routes for a logical router, configure BGP Aggregate Routes and provide the Suppress Map.
    • To set attributes for an aggregate route, for a logical router, configure BGP Aggregate Routes and provide the Attribute Map.
    A filter can have multiple rules; the firewall evaluates packets or routes against the rules in a filter in order by sequence number of the rule. When a packet or route matches a rule, the deny or permit action occurs and the packet or route isn’t evaluated against subsequent rules.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsRoutingProfilesFilters and select the Configuration Scope where you want to configure the BGP route map.
      You can select a folder or firewall from your Folders or select Snippets to configure the BGP route map in a snippet.
    3. Add Filters Route Map BGP.
    4. Enter a Name for the BGP route map.
      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
    5. Add Route Map entry.
    6. Configure the BGP route map Entry.
      1. Enter the Seq number of the access list filtering rules in the list of rules for the BGP route map.
        Range is 1 to 65,535.
        Leave unused numbers between sequence numbers so you can insert additional rules faster.
      2. Enter a helpful Description of the entry (rule).
      3. For Action, select Deny or Permit.
    7. Configure the BGP route map Match to specify the criteria that determine which routes are subject to the function that uses the route map.
      Multiple attributes are logically ANDed, meaning that all criteria must be met.
      1. Configure the BGP route match criteria.
        • AS Path Access List—Select an AS path list. Default is None.
        • Regular Community—Select a Community list. Default is None.
        • Large Community—Select a Large Community list. Default is None.
        • Extended Community—Select an Extended Community list. Default is None.
        • Metric—Enter a value in the range 0 to 4,294,967,295.
        • Interface—Select a local interface from the list of all interfaces for all logical routers. Make sure to choose an interface that belongs to the logical router you’re configuring. Default is None. At commit, the firewall checks that the interface you chose belongs to the logical router you’re configuring.
        • Origin—Select the origin of the route: ebgp, ibgp, or incomplete. Default is none.
        • Tag—Enter a tag value that has meaning in your networks, in the range 0 to 4,294,967,295.
        • Local Preference—Enter a value in the range 0 to 4,294,967,295.
        • Peer—Select a peer name or local (Static or Redistributed routes). Default is none.
      2. Configure the BGP route map to match on various types of IPv4 addresses.
        • On the Address tab, select an Access List to specify addresses to match.
        • Select a Prefix List to specify addresses to match. It matches the prefix received from a peer or a prefix redistributed to a protocol from another protocol.
          If both an access list and prefix list are specified, both requirements must be met (logical AND).
        • On the Next Hop tab, select an Access List to specify next hop addresses to match.
        • Select a Prefix List to specify next hop addresses to match.
        • On the Route Source tab, select an Access List to specify a source IP address of a route to match. For example, the access list could permit a distant peer with the address 192.168.2.2 who is advertising a route to a certain prefix. You can make this BGP route map match on the route’s source address 192.168.2.2 and then perhaps filter the route based on matching the peer address 192.168.2.2 as the source of the route, or set a next hop for routes matching that route source.
        • Specify a Prefix List to specify one or more source networks prefixes to match.
    8. Set any of the following attributes for routes that meet the match criteria.
      • Enable BGP atomic aggregate—Mark the route as a less specific route because it has been aggregated. ATOMIC_AGGREGATE is a well-known discretionary attribute that alerts BGP speakers along a path that information has been lost due to route aggregation, and therefore the aggregate path might not be the best path to the destination. When some routes are aggregated by an aggregator, the aggregator attaches its Router-ID to the aggregated route into the AGGREGATOR-ID attribute and it sets the ATOMIC_AGGREGATE attribute or not, based on whether the AS_PATH information from the aggregated routers was preserved.
      • Local Preference—Enter the local preference to which matching routes are set; the range is 0 to 4,294,967,295. IBGP Update packets carry local preference, which is advertised to IBGP peers only. When there are multiple routes to another AS, the firewall prefers the highest local preference.
      • Tag—Set a tag; range is 1 to 4,294,967,295.
      • Metric Action—Select an action: set, add, or subtract. You can set the specified Metric Value, or add the specified Metric Value to the matching route’s original metric value, or subtract the specified Metric Value from the matching route’s original metric value; default is set. Select the add or subtract action to adjust a metric and thus prioritize or deprioritize the matching route.
      • Metric Value—Enter the metric value to set matching routes to, or add to, or subtract from the original metric value; the range is 0 to 4,294,967,295.
      • Weight—Set a weight (applied locally; not propagated); range is 0 to 4,294,967,295.
      • Origin—Set the origin of the matching routes: ebgp, ibgp, or incomplete (unclear how the route came to be added to the RIB).
      • Delete Regular Community—Select a regular community to delete. Default is None.
      • Delete Large Community—Select a large community to delete. Default is None.
      • Originator ID—Set the IP address of the originator of the matching routes.
      • Aggregator AS—Enter the Aggregator AS. The Aggregator attribute includes the AS number and the IP address of the router that originated the aggregated route. The IP address is the Router ID of the router that performs the route aggregation.
      • Router ID—Enter the aggregator’s Router ID (usually a loopback address).
      • Select an IPv4 Next-Hop to set: none, peer-address (Use Peer Address), or unchanged.
      • Select an IPv4 Source Address to set from the list of all source addresses from all logical routers or select None. At commit, the firewall checks that the source address you chose belongs to the logical router you’re configuring.
      • For the AS Path Exclude, add up to four AS paths to exclude from the AS path of matching routes, perhaps to remove an AS from a confederation.
      • For the AS Path Prepend, add up to four AS Paths to prepend to the AS Path of one or more matching routes (to make the route in an advertisement less desirable).
      • For the Regular Community, select Overwrite Regular Community to overwrite the regular community.
        Add one or more regular communities.
      • For the Large Community, select Overwrite Large Community to overwrite the large community.
        Add one or more large communities.
      • In the Regular Community window, select Overwrite Regular Community to overwrite the regular community.
    9. Add the BGP route map entry.
    10. Save.

    © 2024 Palo Alto Networks, Inc. All rights reserved.