Document:PAN-OS® Networking Administrator’s Guide

Configure BGP on an Advanced Routing Engine

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Configure BGP on an Advanced Routing Engine

Configure BGP for a logical router on an Advanced Routing Engine.

Perform the following task to configure BGP for a logical router on an Advanced Routing Engine.

Before you configure BGP, consider the many useful routing profiles and filters that you can apply to BGP peer groups, peers, redistribution rules, and aggregate route policies, and thereby save configuration time and maintain consistency. You can create profiles and filters in advance or as you progress through configuring BGP.

Configure a Logical Router.

Enable BGP and configure general BGP settings.

Select

Network

Routing

Logical Routers

and select a logical router.

Select

BGP

General

and

Enable

BGP for this logical router.

Assign a

Router ID

to BGP for the logical router, which is typically an IPv4 address to ensure the Router ID is unique.

Assign the

Local AS

, which is the number of the AS to which the logical router belongs; range is 1 to 4,294,967,295.

If you want to apply BFD to BGP, for

Global BFD Profile

select a BFD profile you created, or select the

default

profile, or create a new BFD profile; default is

None (Disable BFD)

Select

Install Route

to install learned BGP routes into the global routing table; default is disabled.

Select

Fast Failover

to have BGP terminate a session with an adjacent peer if the link to that peer goes down, without waiting for the Hold Time to expire; default is enabled.

Select

Graceful Shutdown

to have BGP lower the preference of eBGP peering links during a maintenance operation so that BGP can choose and propagate alternative paths, based on RFC 8326; default is disabled.

Select

ECMP Multiple AS Support

if you configured ECMP and you want to run ECMP over multiple BGP autonomous systems; default is disabled.

Enforce First AS

to cause the firewall to drop an incoming Update packet from an eBGP peer that does not list the eBGP peer’s own AS number as the first AS number in the AS_PATH attribute; default is enabled.

Specify the

Default Local Preference

that can be used to determine preferences among different paths; range is 0 to 4,294,967,295; default is 100.

Enable

Graceful Restart and configure the following timers:

Stale Route Time (sec)

—Specifies the length of time, in seconds, that a route can stay in the stale state (range is 1 to 3,600; default is 120).

Max Peer Restart Time (sec)

—Specifies the maximum length of time, in seconds, that the local device accepts as a grace period restart time for peer devices (range is 1 to 3,600; default is 120).

Local Restart Time

—Specifies the length of time, in seconds, that the local device waits to restart. This value is advertised to peers (range is 1 to 3,600; default is 120).

For

Path Selection

Always Compare MED

—Enable this comparison to choose paths from neighbors in different autonomous systems; default is disabled.

Deterministic MED Comparison

—Enable this comparison to choose between routes that are advertised by IBGP peers (BGP peers in the same autonomous system); default is enabled.

Click

Configure a BGP peer group.

Select

Routing

Logical Routers

and select a logical router.

Select

BGP

Peer Group

and

Add

a BGP peer group by

Name

(maximum of 63 characters). TThe name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed. The name must be unique within the logical router and across all logical routers.

Enable

the peer group.

Select the

Type

of peer group:

IBGP

EBGP

To specify many

IPv4 Address Family

options for the peer group, select an

AFI Profile

that you created, select the

default

profile, or create a new BGP Address Family profile; the default is

None

To specify many

IPv6 Address Family

options for the peer group, select an

AFI Profile

that you created, select the

default

profile, or create a new BGP Address Family profile; the default is

None

To apply

IPv4 Filtering Profile

options to the peer group, select a

BGP Filtering Profile

that you created or create a new BGP Filtering profile; the default is

None

A BGP Filtering Profile describes how to configure many BGP options for IPv4, such as import or export BGP routes, accept or prevent routes being added to the local BGP RIB, conditionally advertise routes, and unsuppress dampened or summarized routes.

To apply

IPv6 Filtering Profile

options to the peer group, select a

BGP Filtering Profile

that you created or create a new BGP Filtering profile; the default is

None

A BGP Filtering Profile describes how to configure many BGP options for IPv6, such as import or export BGP routes, accept or prevent routes being added to the local BGP RIB, conditionally advertise routes, and unsuppress dampened or summarized routes.

For Connection Options, select an

Auth Profile

or create a new BGP Authentication profile to control MD5 authentication between BGP peers in the peer group. Default is

None

Select a

Timer Profile

or create a new BGP Timer Profile to control various BGP timers that affect keepalive and update messages that advertise routes. Default is

None

Set

Multi Hop

—the time-to-live (TTL) value in the IP header (range is 0 to 255; default is 0). The default value of 0 means 1 for eBGP. The default value of 0 means 255 for iBGP.

Select a

Dampening Profile

or create a new Dampening Profile to determine how to penalize a flapping route to suppress it from being used until it stabilizes. Default is

None

Add a BGP peer to the peer group.

Add

a peer by

Name

(maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed. The name must be unique within the logical router and across all logical routers.

Enable

the peer; default is enabled.

Select

Passive

to prevent the peer from initiating a session with its neighbors; default is disabled.

Enter the

Peer AS

to which the peer belongs; range is 1 to 4,294,967,295.

Select

Addressing

and select whether the peer will

Inherit

IPv4 and IPv6 AFI and filtering profiles from the peer group:

Yes

(default) or

If you chose

Yes

, specify the following for the peer:

For

Local Address

, select the

Interface

for which you are configuring BGP. If the interface has more than one IP address, select the

IP Address

for that interface to be the BGP peer.

For

Peer Address

, select either

and select the IP address or select or create an address object, or select

FQDN

and enter the FQDN or address object that is type FQDN.

The firewall uses only one IP address (from each IPv4 or IPv6 address type) from the DNS resolution of the FQDN. If the DNS resolution returns more than one address, the firewall uses the preferred IP address that matches the IP family type (IPv4 or IPv6) configured for the BGP peer. The preferred IP address is the first address the DNS server returns in its initial response. The firewall retains this address as preferred as long as the address appears in subsequent responses regardless of its order.

If you chose

for

Inherit

addressing from the peer group, specify the following for the peer:

To specify many

IPv4 Address Family

options for the peer, select an

AFI Profile

that you created, select the

default

profile, select

inherit (Inherit from Peer-Group)

, or create a new BGP Address Family profile; the default is

none (Disable IPv4 AFI)

The AFI Profile allows you to specify that the peer is a Route Reflector client. The Route Reflector reflects all the advertisements from all its peers to all the other peers, thus avoiding the need for the iBGP to be fully meshed. If you declare the peer a Route Reflector client, the BGP process reflects all of the updates to that peer.

To specify many

IPv6 Address Family

options for the peer, select an

AFI Profile

that you created, select

inherit (Inherit from Peer-Group)

, or create a new BGP Address Family profile; the default is

none (Disable IPv6 AFI)

To apply

IPv4 Filtering Profile

options to the peer, select a

BGP Filtering Profile

that you created, select

inherit (Inherit from Peer-Group)

, or create a new BGP Filtering profile; the default is

none (Disable IPv4 Filtering)

To apply

IPv6 Filtering Profile

options to the peer, select a

BGP Filtering Profile

that you created, select

inherit (Inherit from Peer-Group)

, or create a new BGP Filtering profile; the default is

none (Disable IPv6 Filtering)

For

Local Address

, select the

Interface

for which you are configuring BGP. If the interface has more than one IP Address, select the

IP address

for that interface to be the BGP peer.

For

Peer Address

, select either

and select the IP address or select or create an address object, or select

FQDN

and enter the FQDN or address object that is type FQDN.

A BGP peer group (or a peer) can have both an IPv4 Address Family profile and an IPv6 Address Family profile applied to it. All peers belonging to that peer group will automatically have Addressing set to Inherit

. All peers in the peer group will also have IPv4 Address Family profile, IPv6 Address Family profile, IPv4 Filtering Profile, and IPv6 Filtering Profile set to

none

by default. In order for routing to function properly, the peering interface must have both an IPv4 address and IPv6 address assigned. You can select inherit (Inherit from Peer-Group) or override the peer group by selecting a specific profile for the peer. For example, you can configure a peer to

inherit

the IPv4 Address Family profile and

inherit

the IPv4 Filtering Profile, and select an IPv6 Address Family profile and IPv6 Filtering Profile to override those profiles from the peer group.

Select

Connection Options

for the peer in order to apply settings that differ from those of the peer group.

Select an

Auth Profile

inherit (Inherit from Peer-Group)

(the default), or create a new BGP Authentication profile to control MD5 authentication between BGP peers.

Select a

Timer Profile

inherit (Inherit from Peer-Group)

(the default), create a new BGP Timer Profile, or select the

default

profile to control various BGP timers that affect keepalive and update messages that advertise routes.

Set

Multi Hop

, which is the time-to-live (TTL) value in the IP header (range is 0 to 255). The default setting is

inherit (Inherit from Peer-Group)

Select a

Dampening Profile

inherit (Inherit from Peer-Group)

(the default), or create a new Dampening Profile to determine how to penalize a flapping route to suppress it from being used until it stabilizes.

Select

Advanced

and

Enable Sender Side Loop Detection

to have the firewall check the AS_PATH attribute of a route in its FIB before it sends the route in an Update, to ensure that the peer AS number is not on the AS_PATH list. If it is, the firewall removes the AS number to prevent a routing loop.

To apply a

BFD Profile

to the peer (which overrides the BFD setting for BGP, as long as BFD is not disabled for BGP at the logical router level), select one of the following:

The

default

profile.

An existing BFD profile.

Inherit-lr-global-setting (Inherit Protocol’s Global BFD Profile)

(default)—Peer inherits the BFD profile that you selected globally for BGP for the logical router.

None (Disable BFD)

for the peer.

Create a new BFD profile.

Click

Specify network prefixes to advertise to neighbors.

The

Network

functionality is especially helpful after moving a firewall to a different subnet or after a temporary change in a network.

Select

Network

Always Advertise Network Route

(default is enabled) to always advertise the configured network routes to BGP peers, regardless of whether they are reachable or not. If this is unchecked, the firewall advertises the network routes only if they are resolved using the local route table.

Select

IPv4

IPv6

to select type of prefix.

Add

Network

prefix to advertise to neighbors.

Select

Unicast

to advertise this network route in the Unicast Address Family; default is enabled. If unchecked, the firewall does not advertise the route in the Unicast SAFI.

(IPv4 only) Select Multicast to advertise this network route into the Multicast Address Family. Default is disabled; the firewall does not advertise this network route in the Multicast SAFI.

(IPv4 only) Select

Backdoor

to prevent BGP from advertising the prefix outside of the AS and instead to keep the route within the AS. A backdoor is a BGP route that has a higher administrative distance than an IGP route. Internally, the administrative distance for the prefix is increased so that the prefix isn’t preferred, but is still available if needed, in the event of a link failure elsewhere. Default is disabled.

Redistribute static, connected, OSPF, OSPFv3, or RIPv2 routes into BGP.

Within a BGP Redistribution Profile, use the flexibility of route maps to specify conditions that determine which routes to redistribute and to specify which attributes to set.

Select

Redistribution

To redistribute IPv4 routes, for

IPv4 Redistribution Profile -- Unicast

, select a BGP Redistribution profile or create a new Redistribution profile; default is

None

To redistribute IPv6 routes, for

IPv6 Redistribution Profile -- Unicast

, select a BGP Redistribution profile or create a new Redistribution profile; default is

None

Document:PAN-OS® Networking Administrator’s Guide

Configure BGP on an Advanced Routing Engine

Table of Contents

Configure BGP on an Advanced Routing Engine