Document:PAN-OS® Networking Administrator’s Guide

Create Filters for the Advanced Routing Engine

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Create Filters for the Advanced Routing Engine

Create filters for an Advanced Routing Engine to filter and redistribute routes.

The Advanced Routing Engine supports the filters described in this topic. Access lists, prefix lists, and redistribution route maps can apply to BGP, OSPFv2, OSPFv3 and RIPv2. Access lists and prefix lists can also apply to IPv4 multicast. Multicast route maps apply to IPv4 multicast. AS path access lists, community lists, and BGP route maps apply to BGP only.

Create a filter and reference the filter in a profile or other appropriate location to easily and consistently apply settings that control such things as route acceptance from peers into the local RIB, route advertisements to peers, conditional advertisements, setting attributes, exporting and importing routes to and from other routers, route aggregation, and route redistribution.

Access Lists
—Use an access list:

To filter network routes based on IPv4/IPv6 source addresses and IPv4 destination addresses. For IPv4 access lists, source and destination addresses can be specified by an address and wildcard mask to express a range of addresses. IPv6 access lists can specify source addresses and subnet.

In a BGP Filtering profile, specify an Inbound Distribute List (access list) to control which routes BGP will accept from a peer group or peer (neighbor). This means that routes matching a deny access list rule are not placed in the local BGP RIB; routes matching a permit access list rule are placed in the local BGP RIB. You apply the BGP Filtering profile to a BGP peer group or peer in the Filtering IPv4 Unicast or Filtering IPv6 Unicast field. (To do this for a peer, select

Inherit No

). Peer settings take precedence over peer group settings.

In a BGP Filtering profile, specify an Outbound Distribute List (access list) to control which routes the firewall advertises to its peer group or peer, based on your network and BGP deployment. Then apply the BGP Filtering profile to a BGP peer group or peer in the Filtering IPv4 Unicast or Filtering IPv6 Unicast field. (To do this for a peer, select

Inherit No

). Peer settings take precedence over peer group settings.

As match criteria in a Redistribution route map to specify IPv4 or IPv6 destination Addresses, Next Hop, or Route Source.

In a BGP route map as match criteria for an IPv4 Address, Next Hop, or Route Source, and also for an IPv6 Address.

In OSPFv2 and OSPFv3 Import Lists and Export Lists for an Area Border Router (ABR).

To specify PIM group permissions for IPv4 multicast.

An access list is not for filtering user traffic or for providing security.

An access list can have multiple rules; routes are evaluated against the rules in sequential order. When a route matches a rule, the deny or permit action occurs and the route is not evaluated against subsequent rules.

The aggregated view displays all configured access lists; you can highlight an access list to then modify or delete it.

Prefix Lists
—Use a prefix list:

To filter network routes that are added to a local RIB based on route prefix and prefix length.

In a BGP Filtering Profile, specify an Inbound Prefix List to control which routes BGP will accept from a peer group or peer (neighbor). This means that routes matching a deny prefix list rule are not placed in the local BGP RIB; routes matching a permit prefix list rule are placed in the local BGP RIB. Then apply the BGP Filtering profile to a BGP peer group in the Filtering IPv4 Unicast or Filtering IPv6 Unicast field. (To do this for a peer, select Inherit No). Peer settings take precedence over peer group settings.

In a BGP Filtering profile, specify an Outbound Prefix List to control which routes the firewall advertises to its peer group or peer, based on your network and BGP deployment. Then apply the BGP Filtering profile to a BGP peer group or peer in the Filtering IPv4 Unicast or Filtering IPv6 Unicast field. (To do this for a peer, select Inherit No). Peer settings take precedence over peer group settings.

As match criteria in a Redistribution route map to specify IPv4 or IPv6 destination Addresses, Next Hop, or Route Source.

In a BGP route map as match criteria for an IPv4 Address, Next Hop, or Route Source, and also for an IPv6 Address.

For an OSPFv2 or OSPFv3 ABR of an area, in an Inbound Filter List or Outbound Filter List.

In an IPv4 Multicast PIM general configuration to specify an SPT threshold.

In an IPv4 Multicast route map.

A prefix list can have multiple rules; routes are evaluated against the rules in sequential order. When a route matches a rule, the deny or permit action occurs and the route is not evaluated against subsequent rules. A prefix list is flexible in that it allows you to configure a prefix with a prefix length (that together identify the prefix), and also have a range by specifying that the prefix length be greater than, less than, or equal to a value. The firewall evaluates prefix lists more efficiently than access lists.

Redistribution Route Maps
—Use a Redistribution Route Map in a Redistribution Profile to specify which BGP, OSPFv2, OSPFv3, RIP, connected or static routes (the source protocol) to redistribute to BGP, OSPFv2, OSPFv3, RIP, or the local RIB (the destination protocol). You can also redistribute BGP host routes to BGP peers. The match criteria can include IPv4 and IPv6 addresses specified by an access list and prefix list.

A Redistribution route map can have multiple entries; routes are evaluated against the entries in sequential order. When a route matches an entry, it is permitted or denied and the route is not evaluated against subsequent entries. If the action of the matching entry is Permit, the firewall also sets the configured attributes from the route map to the redistributed route.

Multicast Route Maps
—Create a multicast route map to filter sources for a dynamic IGMP interface.

The following filters apply to BGP only.

AS Path Access Lists
—Create an AS Path access list:

To control importing of BGP routes (into the local BGP RIB) that came from another router, use in a BGP Filtering Profile, in the Inbound Filter List. For example, you want to import only routes that came through specific autonomous systems.

To control exporting of BGP routes to another router, use in a BGP Filtering Profile, in the Outbound Filter List.

To do anything a BGP route map can do, use in a BGP route map as a match criterion.

To redistribute BGP routes, use in a BGP Redistribution route map (AS Path) as a match criterion.

An AS Path access list can have a maximum of 64 rules and ends with an implicit

Permit Any

rule. Use an AS Path access list to deny autonomous systems. Routes are evaluated against the rules in sequential order. When a route matches a rule, the deny or permit action occurs and the route is not evaluated against subsequent rules.

Community Lists
—Create a community list:

To reference in a BGP route map to match on BGP community attributes of routes that you want to control in some way. For example, you can set a group of routes (that share a community attribute) to have a specific metric or local preference.

To reference in the set actions of a BGP route map to remove communities from routes that meet the match criteria.

To match BGP communities in routes that you want to redistribute using a Redistribution route map.

A community list can have multiple rules; routes are evaluated against the rules in sequential order. When a route matches a rule, the deny or permit action occurs and the route is not evaluated against subsequent rules.

BGP Route Maps
—Create a BGP route map:

For the

Default Originate Route-Map

field of a BGP AFI Profile; the match criteria define when to generate the default route (0.0.0.0). Apply the BGP AFI profile to a BGP peer group or peer. The Match criteria can be any parameter and if there is a match to an existing BGP route, the default route is created; the Set portion of the route map is not used. Instead, you can use an outbound route-map to set properties for the generated default route.

To set (override) BGP attributes that BGP is sending to a peer.

For NAT, to set Source Address and IPv4 Next Hop for a certain group of prefixes you are advertising, enter a public IP address from the NAT pool to replace a private IP address.

To redistribute static, connected, or OSPF routes into BGP; then reference the BGP route map in a BGP Redistribution profile.

In a BGP Filtering Profile, use a BGP route map in

Inbound Route Map

Outbound Route Map

to filter routes that are accepted (learned) from BGP peers into the local BGP RIB (inbound) or advertised to BGP peers (outbound).

To conditionally advertise BGP routes, in a BGP Filtering Profile, create an

Exist Map

, which specifies that if these conditions in the route exist, advertise the route based on an Advertise Map. Alternatively, specify that if these conditions do not exist, advertise the route based on a

Non-Exist Advertise Map

In a BGP Filtering Profile, set an IPv4 Next Hop to use a public NAT address rather than a private address.

In a BGP Filtering Profile, use a BGP route map to unsuppress routes that were suppressed due to route dampening or aggregation.

To conditionally filter more specific routes, for a logical router, configure BGP

Aggregate Routes

and provide the

Suppress Map

To set attributes for an aggregate route, for a logical router, configure BGP

Aggregate Routes

and provide the

Attribute Map

A filter can have multiple rules; the firewall evaluates packets or routes against the rules in a filter in order by sequence number (

Seq

) of the rule. When a packet or route matches a rule, the deny or permit action occurs and the packet or route is not evaluated against subsequent rules.

All filters except AS Path access lists end with an implicit

Deny Any

rule. All filters except for AS Path access lists must have at least one

Permit

rule; otherwise, all examined routes/packets are denied. AS Path access lists end with an implicit

Permit Any

rule.

Select a configured

Seq

number to open a rule and modify it. Select an

Action

field in a configured rule to modify only the Permit or Deny action.

When adding a rule, leave enough unused sequence numbers between rules to allow future rules to be inserted in the filter. For example, use Seq numbers 10, 20, 30, etc.

Create an access list to permit or deny IPv4 or IPv6 addresses where this filter is applied.

Select

Network

Routing

Filters

Add

Filters Access List

Name

(maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is allowed.

Enter a helpful

Description

Select the

Type

of access list:

IPv4

IPv6

For IPv4,

Add

IPv4 Entry

and enter the

Seq

number for the rule (range is 1 to 65,535).

Select the

Action

Deny

(the default) or

Permit

For

Source Address

, there are three options: select

Address

and in the subsequent

Address

field, enter an IPv4 address. Enter a

Wildcard

mask to indicate a range. A zero (0) in the mask indicates that bit must match the corresponding bit in the address; a one (1) in the mask indicates a “don’t care” bit. The other options are

Any

None

For

Destination Address

, select

Address

and in the subsequent

Address

field, enter an IPv4 address. Enter a

Wildcard

. A zero (0) in the mask indicates a bit that must match; a one (1) in the mask indicates a “don’t care’ bit. The other options are

Any

None

Click

to save the entry.

Alternatively, select the

Type

to be

IPv6

For IPv6,

Add

IPv6 Entry

and enter the

Seq

number (range is 1 to 65,535).

Select the

Action

Deny

(the default) or

Permit

For

Source Address

, there are three options: select

Address

and in the subsequent

Address

field, enter an IPv6

Address

. Optionally select

Exact Match of this address

to have the firewall perform a comparison of both the prefix and prefix length and they must match exactly; otherwise, the firewall determines the match comparison based on whether the route is in the same subnet as the configured prefix. (If the Source Address is

Any

None

, you cannot select

Exact Match of this address

.) The other options are

Any

None

Click

to save the entry. Optionally add more entries.

Click

to save the access list.

Create a prefix list.

Select

Network

Routing

Filters

Add

Filters Prefix List

Name

Enter a helpful

Description

Select the

Type

of prefix for this rule to filter:

IPv4

IPv6

For IPv4,

Add

IPv4 Entry

, and enter the

Seq

number for the rule; range is 1 to 65,535.

Select the

Action

Deny

(the default) or

Permit

For

Prefix

, there are three options; default is

None

. Another option is to select

Network any

. The third option is to select

Entry

and enter an IPv4

Network

prefix with slash and a base prefix length that together specify a network, for example, 192.168.2.0/24. Optionally specify that the prefix length be

Greater Than Or Equal

to a number (that is at least as large as the base length you specified; range is 0 to 32). Optionally specify a top limit to the range by specifying

Less Than Or Equal

to a number (that is at least as high as the base length and at least as high as the

Greater Than Or Equal

length if configured; range is 0 to 32).

Comparing a route to the prefix rule (IPv4 or IPv6) is a two-step process: 1) Match the prefix with the network first. 2) Match the prefix length to the mask range (Greater Than or Equal to Less Than Or Equal). For example, consider the preflix list rule with Network 192.168.3.0/24, and a prefix length Greater Than or Equal to 26 and Less Than or Equal to 30. The following table shows routes that are tested and whether they pass or fail the rule. Routes that pass the rule are subject to the configured action (Deny or Permit).

Sample Route	Result
192.168.3.0/28	Pass: the network and prefix length match the rule.
192.168.2.0/30	Fail: network does not match the rule.
192.168.3.0/32	Fail: prefix length does not match the rule.

In the output summary of the rule, LOU is Logical Operator Unit (equal, greater or equal, less or equal). >= indicates a prefix length greater than or equal to the value; it is the lowest value of a range of the prefix length. <= indicates a prefix length less than or equal to the value; it is the highest value of a range of the prefix length.

Alternatively,

Add

IPv6 Entry

and follow the steps similar to those for an IPv4 prefix rule. The range of the IPv6 prefix length is

Greater Than or Equal

to 0 to 128 and

Less Than Or Equal

to 0 to 128.

For example, consider the prefix list rule with Network 2001:db8:1/48, and a prefix length Greater Than or Equal to 56 and Less Than or Equal to 64. The following table shows routes that are tested and whether they pass or fail the rule. Routes that pass the rule are subject to the configured action (Deny or Permit).

Sample Route	Result
2001:db8:1/64	Pass: the network and prefix length match the rule.
2001:db8:2/48	Fail: network does not match the rule.
2001:db8:1/65	Fail: prefix length does not match the rule.

Click

to save the prefix entry. Optionally add more entries.

Click

to save the Prefix List.

Create an AS Path Access List for BGP.

Select

Network

Routing

Filters

Add

AS Path Acess List

Name

Enter a helpful

Description

Add

Entry

and enter a

Seq

number; range is 1 to 65,535.

Select the

Action

Deny

(the default) or

Permit

Each AS Path access list ends with an implicit

Permit Any

rule. Use an AS Path access list to deny autonomous systems.

Enter the

Aspath Regex

(regular expression) in the format

regex1:regex2:regex3

, where a colon (:) separates three AS values. Characters allowed are 1234567890_^|[,{}()]$*+.?-\. For example, .*65000 in a Deny statement excludes prefixes originating from AS 65000.

Click

to save the entry. Optionally add more entries; a maximum of 64 entries are allowed in an AS Path access list.

Click

to save the AS Path access list.

Create a Community List.

Select

Network

Routing

Filters

Add

Filters Community List

Name

Enter a helpful

Description

Select the

Type

Regular

—

Add

Seq

number (range is 1 to 65,535), select the

Action

Deny

(the default) or

Permit

, and

Add

one or more community values, select one or more well-known communities, or enter a combination of community values and well-known communities. Separate multiple communities with a vertical bar (|), for example,

6409:10|6520:13|internet

. Enter a maximum of 16 communities in a

Regular

entry (rule).

A regular community value in the format AA:NN where AA is an AS number and NN is a network number (each with a range of 0 to 65,535).

accept-own

—Represents well-known community value ACCEPT-OWN (0xFFFF0001)

blackhole

—Represents well-known community value BLACKHOLE (0xFFFF029A). The neighboring network should discard traffic destined for the prefix.

graceful-shutdown

—Represents well-known community value GRACEFUL_SHUTDOWN (0xFFFF0000)

internet

—Represents well-known community value 0 (0x00). Advertise a prefix to all BGP neighbors.

local-as

—Represents well-known community value NO_EXPORT_SUBCONFED (0xFFFFFF03). The effect is to not advertise the prefix outside of the sub-AS in a confederation.

no-advertise

—Represents well-known community value NO_ADVERTISE (0xFFFFFF02). Adding this community to a prefix means the receiving BGP peer will place the prefix in its BGP route table, but won’t advertise the prefix to other neighbors.

no-export

—Represents well-known community value NO_EXPORT (0xFFFFFF01).Adding this community to a prefix means the receiving BGP peer will advertise the prefix only to iBGP neighbors, not neighbors outside the AS.

no-peer

—Represents well-known community value NOPEER (0xFFFFFF04).

Document:PAN-OS® Networking Administrator’s Guide

Create Filters for the Advanced Routing Engine

Table of Contents

Create Filters for the Advanced Routing Engine