Create Filters for the Advanced Routing Engine (SCM)

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsRoutingProfilesFiltersConfigurationNGFW and Prisma AccessDevice SettingsRoutingProfilesFilters and select the Configuration Scope where you want to configure a filter.

   You can select a folder or firewall from your Folders or select Snippets to configure a filter in a snippet.
3. Add Filters Access List.

   1. Enter a Name for the access list.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Add IPv4 entry.
   3. Configure the IPv4 access list rule.

      1. Enter the Seq number of the access list filtering rules in the list of rules for the access list.
         Range is 1 to 65,535.

         Leave unused numbers between sequence numbers so you can insert additional rules faster.
      2. Select the Action.
         Default is Deny.
      3. Specify the Source Address.
         You can select None (default), Any, or Address.
         (Address only) If you select Address, enter the IPv4 Address and Wildcard mask to indicate a range. A zero (0) in the mask indicates that a bit must match the corresponding bit in the address; a one (1) in the mask indicates a "don't care" bit.
      4. Specify the Destination Address.
         You can select None (default), Any, or Address.
         (Address only) If you select Address, enter the IPv4 Address and Wildcard mask to indicate a range. A zero (0) in the mask indicates that a bit must match the corresponding bit in the address; a one (1) in the mask indicates a "don't care" bit.
      5. Add.
   4. Save.
4. Add Filters Prefix List.

   1. Enter a Name for the prefix list.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Configure the prefix list rule.

      1. Enter the Seq number of the prefix list filtering rules in the list of rules for the prefix list.
         Range is 1 to 65,535.

         Leave unused numbers between sequence numbers so you can insert additional rules faster.
      2. Select the Action.
         Default is Deny.
      3. Specify the Source Address.
         You can select None (default), Any, or Network.
         (Address only) If you select Address, enter the IPv4 Address and Wildcard mask to indicate a range. A zero (0) in the mask indicates that a bit must match the corresponding bit in the address; a one (1) in the mask indicates a "don't care" bit.
      4. (Network only) Enter the IPv4 Network with a slash and prefix length.
         (Optional) Enter the prefix length that the prefix must be Greater Than or Equal to (range is 0 to 32.
         (Optional) Enter the prefix length that the prefix must be Less Than or Equal to (range is 0 to 32.
   3. Save.
5. Add Filters AS Path Access List.

   1. Enter a Name for the AS Path access list.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Add AS path entry.
   3. Enter the Seq number of the access list filtering rules in the list of rules for the redistribution route map.

      Range is 1 to 65,535.

      Leave unused numbers between sequence numbers so you can insert additional rules faster.
   4. For Action, select Deny or Permit.
   5. Enter the Aspath Regex (regular expression) in the format regex1:regex2:regex3, where a colon (:) separates three AS values. Characters allowed are 1234567890_^|[,{}()]$*+.?-\. For example, .*65000 in a Deny statement excludes prefixes originating from AS 65000.
   6. Add the AS Path access list entry.
   7. Save.
6. Add Filters Community List.

   1. Enter a Name for the community list.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Select the Type.

      • Regular—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add one or more community values, select one or more well-known communities, or enter a combination of values of well-known communities.

        • A regular community value in the format AA:NN where AA is an AS number and NN is a network number (each with a range of 0 to 65,535).
        • accept-own—Represents well-known community value ACCEPT-OWN (0xFFFF0001).
        • blackhole—Represents well-known community value BLACKHOLE (0xFFFF029A). The neighboring network should discard traffic destined for the prefix.
        • graceful-shutdown—Represents well-known community value GRACEFUL_SHUTDOWN (0xFFFF0000).
        • internet—Represents well-known community value 0 (0x00). Advertise a prefix to all BGP neighbors.
        • local-as—Represents well-known community value NO_EXPORT_SUBCONFED (0xFFFFFF03). The effect isn’t to advertise the prefix outside of the sub-AS in a confederation.
        • no-advertise—Represents well-known community value NO_ADVERTISE (0xFFFFFF02). Adding this community to a prefix means that the receiving BGP peer will place the prefix in its BGP route table, but won’t advertise the prefix to other neighbors.
        • no-export—Represents well-known community value NO_EXPORT (0xFFFFFF01). Adding this community to a prefix means that the receiving BGP peer will advertise the prefix only to iBGP neighbors, not neighbors outside the AS.
        • no-peer—Represents well-known community value NOPEER (0xFFFFFF04).
        • route-filter-v4—Represents well-known community value ROUTE_FILTER_v4 (0xFFFF0003).
        • route-filter-v6——Represents well-known community value ROUTE_FILTER_v6 (0xFFFF0005).
      • Large—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add a large community regular expression (LC REGEX) entry. Characters allowed in an entry are 1234567890_^|[,{}()]$*+.?-\. Each community must be in the format regex1:regex2:regex3. Enter a maximum of eight communities in a large entry (rule).
      • Extended—Add a Seq number (range is 1 to 65,535) and select the Action: Deny (default) or Permit. Add the BGP extended community regular expression (EC REGEX). Characters allowed are 1234567890_^|[,{}()]$*+.?-\. Each extended community must be in the format regex1:regex2; for example, 204*[3-8]:205*[4-8]. Enter a maximum of eight communities in an Extended entry (rule).
   3. Add your entries to the community list.
   4. Save.
7. Add Filters Route Map BGP.

   • For the Default Originate Route-Map field of a BGP AFI Profile; the match criteria define when to generate the default route (0.0.0.0). Apply the BGP AFI profile to a BGP peer group or peer. The Match criteria can be any parameter and if there’s a match to an existing BGP route, the default route is created; the Set portion of the route map isn’t used. Instead, you can use an outbound route-map to set properties for the generated default route.
   • To set (override) BGP attributes that BGP is sending to a peer.
   • For NAT, to set Source Address and IPv4 Next Hop for a certain group of prefixes you’re advertising, enter a public IP address from the NAT pool to replace a private IP address.
   • To redistribute static, connected, or OSPF routes into BGP; then reference the BGP route map in a BGP Redistribution profile.
   • In a BGP Filtering Profile, use a BGP route map in Inbound Route Map or Outbound Route Map to filter routes that are accepted (learned) from BGP peers into the local BGP RIB (inbound) or advertised to BGP peers (outbound).
   • To conditionally advertise BGP routes in a BGP Filtering Profile, create an Exist Map, which specifies that if these conditions in the route exist, advertise the route based on an Advertise Map. Alternatively, specify that if these conditions don’t exist, advertise the route based on a Non-Exist Advertise Map.
   • In a BGP Filtering Profile, set an IPv4 Next Hop to use a public NAT address rather than a private address.
   • In a BGP Filtering Profile, use a BGP route map to unsuppress routes that were suppressed due to route dampening or aggregation.
   • To conditionally filter more specific routes for a logical router, configure BGP Aggregate Routes and provide the Suppress Map.
   • To set attributes for an aggregate route, for a logical router, configure BGP Aggregate Routes and provide the Attribute Map.

   1. Enter a Name for the BGP route map.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Add Route Map entry.
   3. Configure the BGP route map Entry.

      1. Enter the Seq number of the access list filtering rules in the list of rules for the BGP route map.
         Range is 1 to 65,535.

         Leave unused numbers between sequence numbers so you can insert additional rules faster.
      2. Enter a helpful Description of the entry (rule).
      3. For Action, select Deny or Permit.
   4. Configure the BGP route map Match to specify the criteria that determine which routes are subject to the function that uses the route map.

      Multiple attributes are logically ANDed, meaning that all criteria must be met.

      1. Configure the BGP route match criteria.
         • AS Path Access List—Select an AS path list. Default is None.
         • Regular Community—Select a Community list. Default is None.
         • Large Community—Select a Large Community list. Default is None.
         • Extended Community—Select an Extended Community list. Default is None.
         • Metric—Enter a value in the range 0 to 4,294,967,295.
         • Interface—Select a local interface from the list of all interfaces for all logical routers. Make sure to choose an interface that belongs to the logical router you’re configuring. Default is None. At commit, the firewall checks that the interface you chose belongs to the logical router you’re configuring.
         • Origin—Select the origin of the route: ebgp, ibgp, or incomplete. Default is none.
         • Tag—Enter a tag value that has meaning in your networks, in the range 0 to 4,294,967,295.
         • Local Preference—Enter a value in the range 0 to 4,294,967,295.
         • Peer—Select a peer name or local (Static or Redistributed routes). Default is none.
      2. Configure the BGP route map to match on various types of IPv4 addresses.
         • On the Address tab, select an Access List to specify addresses to match.
         • Select a Prefix List to specify addresses to match. It matches the prefix received from a peer or a prefix redistributed to a protocol from another protocol.
           If both an access list and prefix list are specified, both requirements must be met (logical AND).
         • On the Next Hop tab, select an Access List to specify next hop addresses to match.
         • Select a Prefix List to specify next hop addresses to match.
         • On the Route Source tab, select an Access List to specify a source IP address of a route to match. For example, the access list could permit a distant peer with the address 192.168.2.2 who is advertising a route to a certain prefix. You can make this BGP route map match on the route’s source address 192.168.2.2 and then perhaps filter the route based on matching the peer address 192.168.2.2 as the source of the route, or set a next hop for routes matching that route source.
         • Specify a Prefix List to specify one or more source networks prefixes to match.
   5. Set any of the following attributes for routes that meet the match criteria.

      • Enable BGP atomic aggregate—Mark the route as a less specific route because it has been aggregated. ATOMIC_AGGREGATE is a well-known discretionary attribute that alerts BGP speakers along a path that information has been lost due to route aggregation, and therefore the aggregate path might not be the best path to the destination. When some routes are aggregated by an aggregator, the aggregator attaches its Router-ID to the aggregated route into the AGGREGATOR-ID attribute and it sets the ATOMIC_AGGREGATE attribute or not, based on whether the AS_PATH information from the aggregated routers was preserved.
      • Local Preference—Enter the local preference to which matching routes are set; the range is 0 to 4,294,967,295. IBGP Update packets carry local preference, which is advertised to IBGP peers only. When there are multiple routes to another AS, the firewall prefers the highest local preference.
      • Tag—Set a tag; range is 1 to 4,294,967,295.
      • Metric Action—Select an action: set, add, or subtract. You can set the specified Metric Value, or add the specified Metric Value to the matching route’s original metric value, or subtract the specified Metric Value from the matching route’s original metric value; default is set. Select the add or subtract action to adjust a metric and thus prioritize or deprioritize the matching route.
      • Metric Value—Enter the metric value to set matching routes to, or add to, or subtract from the original metric value; the range is 0 to 4,294,967,295.
      • Weight—Set a weight (applied locally; not propagated); range is 0 to 4,294,967,295.
      • Origin—Set the origin of the matching routes: ebgp, ibgp, or incomplete (unclear how the route came to be added to the RIB).
      • Delete Regular Community—Select a regular community to delete. Default is None.
      • Delete Large Community—Select a large community to delete. Default is None.
      • Originator ID—Set the IP address of the originator of the matching routes.
      • Aggregator AS—Enter the Aggregator AS. The Aggregator attribute includes the AS number and the IP address of the router that originated the aggregated route. The IP address is the Router ID of the router that performs the route aggregation.
      • Router ID—Enter the aggregator’s Router ID (usually a loopback address).
      • Select an IPv4 Next-Hop to set: none, peer-address (Use Peer Address), or unchanged.
      • Select an IPv4 Source Address to set from the list of all source addresses from all logical routers or select None. At commit, the firewall checks that the source address you chose belongs to the logical router you’re configuring.
      • For the AS Path Exclude, add up to four AS paths to exclude from the AS path of matching routes, perhaps to remove an AS from a confederation.
      • For the AS Path Prepend, add up to four AS Paths to prepend to the AS Path of one or more matching routes (to make the route in an advertisement less desirable).
      • For the Regular Community, select Overwrite Regular Community to overwrite the regular community.
        Add one or more regular communities.
      • For the Large Community, select Overwrite Large Community to overwrite the large community.
        Add one or more large communities.
      • In the Regular Community window, select Overwrite Regular Community to overwrite the regular community.
   6. Add the BGP route map entry.
   7. Save.
8. Add Filters Route Maps Redistribution.

   1. Enter a Name for the redistribution route map.

      The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is supported.
   2. Select the Source Protocol. The source protocol is where the Match selections apply.

      You can select BGP, OSPF, or Connected Static.
   3. Select the Destination Protocol. The destination protocol is where the Set selections apply.

      You can select BGP or OSPF.
   4. Add Route Map entry.
   5. Configure the redistribution route map Entry.

      1. Enter the Seq number of the access list filtering rules in the list of rules for the redistribution route map.
         Range is 1 to 65,535.

         Leave unused numbers between sequence numbers so you can insert additional rules faster.
      2. Enter a helpful Description of the entry (rule).
      3. For Action, select Deny or Permit.
   6. Configure the redistribution route map Match to configure the criteria for the source protocol.

      1. Configure the BGP route match criteria.
         • AS Path Access List—Select an AS path list. Default is None.
         • Interface—Select the match interface of the route. Default is None.
         • Regular Community—Select a Community list. Default is None.
         • Origin—Select the origin of the route: ebgp, ibgp, or incomplete. Default is none.
         • Large Community—Select a Large Community list. Default is None.
         • Tag—Enter a tag value that has meaning in your networks, in the range 0 to 4,294,967,295.
         • Extended Community—Select an Extended Community list. Default is None.
         • Local Preference—Enter a value in the range 0 to 4,294,967,295.
         • Metric—Enter a value in the range 0 to 4,294,967,295.
         • Peer—Select a peer name or local (Static or Redistributed routes). Default is none.
      2. Configure the BGP route map to match on various types of IPv4 addresses.
         • On the Address tab, select an Access List to specify addresses to match.
         • Select a Prefix List to specify addresses to match. It matches the prefix received from a peer or a prefix redistributed to a protocol from another protocol.
           If both an access list and prefix list are specified, both requirements must be met (logical AND).
         • On the Next Hop tab, select an Access List to specify next hop addresses to match.
         • Select a Prefix List to specify next hop addresses to match.
         • On the Route Source tab, select an Access List to specify a source IP address of a route to match. For example, the access list could permit a distant peer with the address 192.168.2.2 who is advertising a route to a certain prefix. You can make this BGP route map match on the route’s source address 192.168.2.2 and then perhaps filter the route based on matching the peer address 192.168.2.2 as the source of the route, or set a next hop for routes matching that route source.
         • Specify a Prefix List to specify one or more source networks prefixes to match.
   7. Set the actions to perform on routes matching the rule, which will be redistributed to the destination protocol.

      1. Select the Metric Action for the redistribution rule.
         You can set the Metric value, add the specified Metric Value to the matching route’s original Metric value, or subtract the specified Metric Value from the matching route’s original Metric value; the default is None. Select the add or subtract action to adjust a metric and thus prioritize or deprioritize the matching route.
      2. Enter a Metric Value to set, add to, or subtract from the metric; the range is 0 to 4,294,967,295.
      3. Select the Metric Type: Type 1 or Type 2.
      4. Specify a Tag; range is 1 to 4,294,967,295.
   8. Add the redistribution route map entry.
   9. Save.