Create BGP Routing Profiles

Create a BGP Authentication profile.
Select
Network
Routing
Routing Profiles
BGP
.

Add
a
BGP Auth Profile
by
Name
(a maximum of 63 characters) to identify the profile. The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
Enter the
Secret
and
Confirm Secret
. The Secret is used as a key in MD5 authentication.
Click
OK
.
Create a BGP Timer profile.
Select
Network
Routing
Routing Profiles
BGP
.
In the BGP Timer Profiles window, select the
default
BGP Timer Profile to see the default profile settings:

If the default BGP Timer Profile settings are not what you need,
Add
a
BGP Timer Profile
by
Name
(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
Set the
Keep Alive Interval (sec)
—the interval, in seconds, at which the BGP speaker sends Keepalives to the peer (range is 0 to 1,200; default is 30). If no Keepalive is received from a peer during a Hold Time interval, the BGP peering is closed. Often, the Hold Time is three times the Keep Alive Interval to allow for three missed Keepalives before BGP peering is brought down.
Set the
Hold Time (sec)
—the length of time, in seconds, that may elapse between successive Keepalive or Update messages from the peer before the peer connection is closed (range is 3 to 3,600; default is 90).
Set the
Reconnect Retry Interval
—the number of seconds to wait in Idle state before retrying to connect to the peer (range is 1 to 3,600; default is 15).
Set the
Open Delay Time (sec)
—the number of seconds of delay between opening the TCP connection to the peer and sending the first BGP Open message to establish a BGP connection (range is 0 to 240; default is 0).
Set the
Minimum Route Advertise Interval (sec)
—the minimum amount of time, in seconds, that must elapse between an advertisement and/or withdrawal of routes to a particular destination by a BGP speaker to a peer (range is 1 to 600; default is 30).
Click
OK
.
To use MP-BGP, create a BGP Address Family Identifier (AFI) profile of shared attributes.
Select
Network
Routing
Routing Profiles
BGP
.
Add
a
BGP Address Family Profile
by
Name
(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.

Select
IPv4
or
IPv6
AFI to specify the type of profile.
Select
unicast
or
multicast
.
Multicast
is supported only for an
IPv4
AFI profile.
On the
unicast
tab,
Enable SAFI
to enable the unicast SAFI for the profile. On the
multicast
tab,
Enable SAFI
to enable the multicast SAFI for the profile. If
Enable SAFI
is checked for both
unicast
and
multicast
, both SAFI are enabled. At least one SAFI must be enabled for the BGP profile to be valid.
Select
Soft reconfiguration of peer with stored routes
to cause the firewall to perform a soft reset of itself after settings of any of its BGP peers are updated. (Enabled by default.)
Advertise all paths to peers
— to have BGP advertise all known paths to neighbor in order to preserve multipath capabilities inside a network.
Advertise the bestpath for each neighboring AS
to have BGP advertise the best known paths to neighbors in order to preserve multipath capabilities inside a network. Disable this if you want to advertise the same path to all autonomous systems.
Override ASNs in outbound updates if AS-Path equals Remote-AS
—This setting is helpful if you have multiple sites belonging to the same AS number (AS 64512, for example) and there is another AS between them. A router between the two sites receives an Update advertising a route that can access AS 64512. To avoid the second site dropping the Update because it is also in AS 64512, the intermediate router replaces AS 64512 with its own AS number (ASN), AS 64522, for example.
Enable
Route Reflector Client
to make the BGP peer a Route Reflector client in an IBGP network.
Originate Default Route
—Select to generate a default route and place it in the local BGP RIB.
Default Originate Route-Map
—Select or create a route map to control the attributes of the default route.
Allow AS in
:
Origin
—Accept routes even if the firewall’s own AS is present in the AS_PATH.
Occurrence
—Number of times the firewall’s own AS can be in the AS_PATH.
None
—(default setting) No action taken.
Number Prefixes
—Maximum number of prefixes to accept (learn) from the peer. Range is 1 to 4,294,967,295; default is 1,000.
Threshold
—Percentage of the maximum number of prefixes. The prefixes are added to the BGP local RIB. If the peer advertises more than the threshold, the firewall takes the specified action (
Warning Only
or
Restart
). Range is 1 to 100; default is 100.
Action
—
Warning Only
message in system logs or
Restart
the BGP peer connection after the maximum number of prefixes is exceeded.
Select the
Next Hop
:
Self
—Causes the firewall to change the Next Hop address (in Updates it receives) to its own IP address in the Update before sending it on. This is helpful when the firewall is communicating with an EBGP router (in another AS) and with an IBGP router (in its own AS). For example, suppose the Next Hop address in a BGP Update that arrives at AS 64512 is the IP address of the egress interface of Router 2 where the Update egressed AS 64518. The Update indicates that to reach networks that Router 2 is advertising, use the Next Hop address of Router 2. However, if the firewall sends that Update to an iBGP neighbor in AS 64512, the unchanged Next Hop of Router 2 is outside AS 64512 and the iBGP neighbor does not have a route to it. When you select
Self
, the firewall changes the Next Hop to its own IP address so that an iBGP neighbor can use that Next Hop to reach the firewall, which in turn can reach the eBGP router.
Self Force
—Force set the next hop to self for the reflected routes.
None
—(default setting) Keep the original Next Hop in the attribute.
To have BGP remove private AS numbers from the AS_PATH attribute in Updates that the firewall sends to a peer in another AS, in
Remove Private AS
, select one of the following:
All
—Remove all private AS numbers.
Replace AS
—Replace all private AS numbers with the firewall’s AS number.
None
—(default setting) No action taken.
For
Send Community
, select the type of BGP community attribute to send in outbound Update packets:
All
—Send all communities.
Both
—Send standard and extended communities.
Extended
—Send extended communities (RFC 4360).
Large
—Send large communities (RFC 8092).
Standard
—Send standard communities (RFC 1997).
None
—(default setting) Do not send any communities.
For
ORF List
—Advertise the ability of the peer group or peer to send a prefix list and/or receive a prefix list to implement outbound route filtering (ORF) at the source, and thereby minimize sending or receiving unwanted prefixes in Updates. Select an ORF capability setting:
none
—(default setting) The peer group or peer (where this AFI profile is applied) has no ORF capability.
both
—Advertise that the peer group or peer (where this AFI profile is applied) can
send
a prefix list and
receive
a prefix list to implement ORF.
receive
—Advertise that the peer group or peer (where this AFI profile is applied) can receive a prefix list to implement ORF. The local peer receives the remote peer’s ORF capability and prefix list, which it implements as an outbound route filter.
send
—Advertise that the peer group or peer (where this AFI profile is applied) can send a prefix list to implement ORF. The remote peer (with receive capability) receives the ORF capability and implements the prefix list it received as an outbound route filter when advertising routes to the sender.
ORF is a solution to two potential problems: a) wasting bandwidth by advertising unwanted routes and b) filtering route prefixes that perhaps the receiving peer wants. Implement ORF by doing the following:
Specify ORF capability in the Address Family profile.
For a peer group or peer that is a sender (
send
or
both
capability), create a prefix list containing the set of prefixes the peer group/peer wants to receive.
Create a BGP Filtering profile and in the Inbound Prefix List, select the prefix list you created.
For the BGP peer group, select the Address Family profile you created to apply it to the peer group. In the case of the sender, also select the Filtering Profile you created (which indicates the prefix list). If the peer group or peer is an ORF receiver only, it does not need the Filtering Profile; it needs only the Address Family profile to indicate ORF
receive
capability.
Click
OK
.
Create a BGP Dampening Profile.
Select
Network
Routing
Routing Profiles
BGP
.
Add
a
BGP Dampening Profile
by
Name
. The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
Enter a helpful
Description
.
Suppress Limit
— Enter the suppress value (cumulative value of the penalties for flapping), at which point all the routes coming from a peer are dampened. Range is 1 to 20,000; default is 2,000.
Reuse Limit
—Enter the value that controls when a route can be reused based on the procedure described for
Half Life
. Range is 1 to 20,000; default is 750.
Half Life (min)
—Enter the number of minutes for the half life time to control the stability metric (penalty) applied to a flapping route. Range is 1 to 45; default is 15. The stability metric starts at 1,000. After a penalized route stabilizes, the half life timer counts down until it expires, at which point the next stability metric applied to the route is only half of the previous value (500). Successive cuts continue until the stability metric is less than half of the Reuse Limit, and then the stability metric is removed from the route.
Maximum Suppress Time (min)
—Enter the maximum number of minutes a route can be suppressed, regardless of how unstable it has been. Range is 1 to 255; default is 60.

Click
OK
.
Create a BGP Redistribution Profile to redistribute static, connected, and OSPF routes (that match the corresponding route map) to BGP.
Select
Network
Routing
Routing Profiles
BGP
.
Add
a
BGP Redistribution Profile
by
Name
(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
Select the
AFI
of routes to redistribute:
IPv4
or
IPv6
.

Select
Static
to configure static route redistribution.
Enable
redistribution of IPv4 or IPv6 static routes (based on the AFI you selected).
Configure the
Metric
to apply to the static routes being redistributed into BGP (range is 1 to 65,535).
Select a
Route-Map
to specify the match criteria that determine which static routes to redistribute. Default is
None
. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
Select
Connected
to configure connected route redistribution.
Enable
redistribution of locally connected IPv4 or IPv6 routes (based on the AFI you selected).
Configure the
Metric
to apply to the connected routes being redistributed into BGP (range is 1 to 65,535).
Select a
Route Map
to specify the match criteria that determine which connected routes to redistribute. Default is None. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
(
IPv4 AFI only
) Select
OSPFv2
to configure OSPFv2 route redistribution.
Enable
redistribution of OSPFv2 routes.
Configure the
Metric
to apply to the OSPF routes being redistributed into BGP (range is 1 to 65,535).
Select a
Route-Map
to specify the match criteria that determine which OSPF routes to redistribute. Default is
None
. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
(
IPv4 AFI only
) Select
RIPv2
to configure RIPv2 route redistribution.
Enable
redistribution of RIPv2 routes.
Configure the
Metric
to apply to the RIP routes being redistributed into BGP (range is 1 to 65,535).
Select a
Route-Map
to specify the match criteria that determine which RIP routes to redistribute. Default is
None
. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
(
IPv6 AFI only
) Select
OSPFv3
to configure OSPFv3 route redistribution.
Enable
redistribution of OSPFv3 routes.
Configure the
Metric
to apply to the OSPFv3 routes being redistributed into BGP (range is 1 to 65,535).
Select a
Route-Map
to specify the match criteria that determine which OSPFv3 routes to redistribute. Default is
None
. If the route map Set configuration includes a Metric Action and Metric Value, they are applied to the redistributed route. Otherwise, the Metric configured on this redistribution profile is applied to the redistributed route.
Click
OK
.
Create a BGP Filtering Profile.
Select
Network
Routing
Routing Profiles
BGP
.
Add
a
BGP Filtering Profile
by
Name
(a maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), hyphen (-), or dot (.) and can contain alphanumeric characters, underscores, hyphens and dots. A space is not allowed.
Enter a helpful
Description
.
Select
IPv4
or
IPv6
Address Family Identifier (AFI) to indicate the type of route to filter.

Select
Unicast
or
Multicast
Subsequent Address Family Identifier (SAFI).