Network > Routing > Routing Profiles > BGP
Table of Contents
11.2
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Network > Routing > Routing Profiles > BGP
Create BGP routing profiles to efficiently configure
BGP for the logical router.
For a logical router, use BGP routing profiles to
efficiently apply configuration to BGP peer groups, peers, or redistribution
rules. For example, you can apply a Timer Profile, Authentication
Profile, and BGP Filtering Profiles to a BGP peer group or a peer.
You can apply an Address Family (AFI) profile for IPv4 and for IPv6
to a peer group or peer. You can apply a Redistribution profile for
IPv4 and for IPv6 to BGP redistribution.
BGP Routing Profiles | Description |
---|---|
BGP Auth Profile | |
Name | Enter a name for the Authentication profile
(maximum of 63 characters). The name must start with an alphanumeric
character, underscore (_), hyphen (-), or dot (.) and contain zero
or more alphanumeric characters, underscore (_) hyphen(-) and dot.
A space is not allowed. |
Secret | Enter the Secret and Confirm
Secret. The Secret is used as a key in MD5 authentication. |
BGP Timer Profile | |
Name | Enter a name for the Timers profile (maximum
of 63 characters). The name must start with an alphanumeric character, underscore
(_), hyphen (-), or dot (.) and contain zero or more alphanumeric
characters, underscore (_) hyphen(-) and dot. A space is not allowed. |
Keep Alive Interval (sec) | Enter the interval, in seconds, after which
routes from the peer are suppressed according to the Hold Time setting
(range is 0 to 1,200; default is 30). |
Hold Time (sec) | Enter the length of time, in seconds, that
may elapse between successive Keepalive or Update messages from
the peer before the peer connection is closed (range is 3 to 3,600;
default is 90). |
Reconnect Retry Interval | Enter the number of seconds to wait in Idle
state before retrying to connect to the peer (range is 1 to 3,600;
default is 15). |
Open Delay Time (sec) | Enter the number of seconds of delay between
opening the TCP connection to the peer and sending the first BGP
Open message to establish a BGP connection (range is 0 to 240; default
is 0). |
Minimum Route Advertise Interval (sec) | Enter the minimum about of time, in seconds,
that must occur between two successive Update messages (that a BGP
speaker [the firewall] sends to a BGP peer) that advertise routes
or withdrawal of routes (range is 1 to 600; default is 30). |
BGP Address Family Profile | |
Name | Enter a name for the Address Family Identifier
(AFI) profile (maximum of 63 characters). The name must start with
an alphanumeric character, underscore (_), hyphen (-), or dot (.)
and contain zero or more alphanumeric characters, underscore (_) hyphen(-)
and dot. A space is not allowed. |
AFI | Select the type of AFI profile (IPv4 or IPv6). |
unicast / multicast | Select the Subsequent Address Family Identifier
(SAFI) type. |
Enable SAFI | Select for the profile to enable the unicast
and/or multicast SAFI. At least one SAFI must be enabled for the
BGP profile to be valid; you can enable both SAFIs. |
Soft reconfiguration of peer with stored
routes | Select to cause the firewall to perform
a soft reset of itself after settings of any of its BGP peers are
updated. (Default is enabled.) |
Advertise all paths to peers | Advertise all paths to neighbors in order
to preserve multipath capabilities inside a network. |
Advertise the bestpath for each neighboring
AS | Enable to ensure that BGP advertises the
best path for each neighboring AS, and not a generic path for all
autonomous systems. Disable this if you want to advertise the same
path to all autonomous systems. |
Override ASNs in outbound updates if AS-Path
equals Remote-AS | You might use the BGP AS override feature
if you have multiple sites belonging to the same AS (AS 64512, for
example) and there is another AS between them. A router between
the two sites receives an Update advertising a route that can access
AS 64512. To avoid the second site dropping the Update because it
is also in AS 64512, the intermediate router replaces AS 64512 with
its own ASN, AS 64522, for example. |
Route Reflector Client | Enable to make the BGP peers a BGP Route
Reflector Client in an iBGP network. |
Originate Default Route | Select to advertise all default routes.
Disable if you want to advertise only routes to specific destination. |
Default Originate Route-Map | Apply a route map to the Originate Default
Route field, which allows you to specify the types of default routes
you want to advertise. |
Allow AS in | Specify whether to allow routes that include
the firewall’s own autonomous system (AS) number:
|
Number Prefixes | Enter the maximum number of prefixes to
accept from peer; range is 1 to 4,294,967,295; default is 1,000. |
Threshold (%) | Enter the threshold percentage of the maximum
number of prefixes. If the peer advertises more than the threshold,
the firewall takes the specified Action (warning or restart). Range
is 1 to 100. |
Action | Specify the action the firewall takes on
the BGP connection after the maximum number of prefixes is exceeded: Warning
Only message in logs or Restart the
BGP peer connection. |
Next Hop | Select the next hop:
|
Remove Private AS | To have BGP remove private AS numbers form
the AS_PATH attribute in Updates that the firewall sends to a peer
in another AS, select one of the following:
|
Send Community | Select the type of BGP community attribute
to send in outbound Update messages:
|
ORF List | Advertise the ability of the peer group
or peer to send a prefix list and/or receive a prefix list to implement
outbound route filtering (ORF) at the source, and thereby minimize
sending or receiving unwanted prefixes in Updates. Select one of
the following:
Implement ORF by doing the following:
|
BGP Dampening Profile | |
Name | Enter a name for the Dampening profile (maximum
of 63 characters). The name must start with an alphanumeric character, underscore
(_), hyphen (-), or dot (.) and contain zero or more alphanumeric
characters, underscore (_) hyphen(-) and dot. A space is not allowed. |
Description | Enter a description for the Dampening profile. |
Suppress Limit | Enter the suppress value (cumulative value
of the penalties for flapping), at which point all the routes coming
from a peer are dampened. Range is 1 to 20,000; default is 2,000. |
Reuse Limit | Enter value that controls when a route can
be reused based on the procedure described for Half Life; range
is 1 to 20,000; default is 750. |
Half Life (min) | Enter the number of minutes for the half-life
time to control the stability metric (penalty) applied to a flapping
route. Range is 1 to 45; default is 15. The stability metric starts
at 1,000. After a penalized route stabilizes, the Half Life timer
counts down until it expires, at which point the next stability
metric applied to the router is only half of the previous value
(500). Successive cuts continue until the stability metric is less
than half of the Reuse Limit, and then the stability metric is removed
from the router. |
Maximum Suppress Time (min) | Enter the maximum number of minutes a route
can be suppressed, regardless of how unstable it has been. Range
is 1 to 255; default is 60. |
BGP Redistribution Profile | |
Name | Enter a name for the Redistribution profile
(maximum of 63 characters). The name must start with an alphanumeric
character, underscore (_), hyphen (-), or dot (.) and contain zero
or more alphanumeric characters, underscore (_) hyphen(-) and dot.
A space is not allowed. |
IPv4 or IPv6 | Select IPv4 or IPv6 Address Family Identifier
(AFI) to specify which type of route is redistributed. |
Static | Select Static and Enable to
redistribute IPv4 or IPv6 static routes (that match the AFI you
selected) to BGP. |
Metric | Enter the metric to apply to the static
routes being redistributed into BGP (range is 1 to 65,535). |
Route-Map | Select a Route Map to
specify the match criteria that determine which static routes to
redistribute. Default is None. If the route
map Set configuration includes a Metric Action and Metric Value,
they are applied to the redistributed route. Otherwise, the Metric
configured on this redistribution profile is applied to the redistributed route. |
Connected | Select Connected and Enable to
redistribute IPv4 or IPv6 connected routes (that match the AFI you
selected) to BGP. |
Metric | Enter the metric to apply to the connected
routes being redistributed into BGP (range is 1 to 65,535). |
Route-Map | Select a Route Map to
specify the match criteria that determine which connected routes
to redistribute. Default is None. If the
route map Set configuration includes a Metric Action and Metric
Value, they are applied to the redistributed route. Otherwise, the
Metric configured on this redistribution profile is applied to the
redistributed route. |
OSPF | (IPv4 only) Select OSPF and Enable to
redistribute OSPFv2 routes to BGP. |
Metric | Enter the metric to apply to the OSPF routes
being redistributed into BGP (range is 1 to 65,535). |
Route-Map | Select a Route Map to
specify the match criteria that determine which OSPF routes to redistribute. Default
is None. If the route map Set configuration
includes a Metric Action and Metric Value, they are applied to the
redistributed route. Otherwise, the Metric configured on this redistribution
profile is applied to the redistributed route. |
RIP | (IPv4 only) Select RIP and Enable to
redistribute RIP routes to BGP. |
Metric | Enter the metric to apply to the RIP routes
being redistributed into BGP (range is 1 to 65,535). |
Route-Map | Select a Route Map to
specify the match criteria that determine which RIP routes to redistribute. Default
is None. If the route map Set configuration
includes a Metric Action and Metric Value, they are applied to the
redistributed route. Otherwise, the Metric configured on this redistribution
profile is applied to the redistributed route. |
OSPFv3 | (IPv6 only) Select OSPFv3 and Enable to
redistribute OSPFv3 routes to BGP. |
Metric | Enter the metric to apply to the OSPFv3
routes being redistributed into BGP (range is 1 to 65,535). |
Route-Map | Select a Route Map to
specify the match criteria that determine which OSPFv3 routes to
redistribute. Default is None. If the route
map Set configuration includes a Metric Action and Metric Value,
they are applied to the redistributed route. Otherwise, the Metric
configured on this redistribution profile is applied to the redistributed route. |
BGP Filtering Profile | |
Name | Enter a name for the BGP Filtering profile
(maximum of 63 characters). The name must start with an alphanumeric
character, underscore (_), hyphen (-), or dot (.) and contain zero
or more alphanumeric characters, underscore (_) hyphen(-) and dot.
A space is not allowed. |
Description | Enter a description for the BGP Filtering
profile. |
AFI | Select IPv4 or IPv6 Address
Family Identifier to specify which type of route is filtered. |
Unicast Inbound Filter List | Select an AS Path access list or create
a new one to specify that, when receiving routes from peer, only
routes with the same AS Path are imported from the peer group or
peer, meaning added to the local BGP RIB. |
Inbound Distribute List | Use an access list (Source Address only;
not Destination Address) to filter BGP routing information that
BGP receives. Mutually exclusive with Inbound Prefix List in a single
Filtering Profile. |
Inbound Prefix List | Use a prefix list to filter BGP routing
information that BGP receives, based on a network prefix. Mutually
exclusive with Inbound Distribute List in a single Filtering Profile. |
Inbound Route Map | Use a route map to have even more control
over which routes are allowed into the local BGP RIB (Match criteria)
and to set attributes for the routes (Set options). For example,
you can control route preference by prepending an AS to the AS Path
of a route. |
Outbound Filter List | Select an AS Path access list or create
a new AS Path access list to specify that only routes with the same
AS Path are advertised to a peer router (peer group or peer where
this filter is applied). |
Outbound Distribute List | Use an access list to filter BGP routing
information that BGP advertises, based on the IP address of the
destination. Mutually exclusive with Outbound Prefix List in a single
Filtering Profile. |
Outbound Prefix List | Use a prefix list to filter BGP routing
information that BGP advertises, based on a network prefix. Mutually
exclusive with Outbound Distribute List in a single Filtering Profile. |
Outbound Route Map | Use a route map to have even more control
over which routes BGP advertises (Match criteria) and to set attributes
for advertised routes. |
Conditional Advertisement—Exist—Exist Map | Select or create a route map to specify
the match criteria for the conditional advertisement. If these routes
exist in the local BGP RIB, the routes specified by the Advertise
Map are advertised. Only the Match portion of the route map in this
field takes effect; the Set portion is ignored. |
Conditional Advertisement—Exist—Advertise
Map | Select or create a route map to specify
the routes to advertise in the event that the condition is met (routes
from the Exist Map exist in the local BGP RIB). Only the Match portion
of the route map in this field takes effect; the Set portion is
ignored. |
Conditional Advertisement—Non-Exist—Non
Exist Map | Select or create a route map to specify
the match criteria for the conditional advertisement. If these routes
do not exist in the local BGP RIB, the routes specified by the Advertise
Map are advertised. Only the Match portion of the route map in this
field takes effect; the Set portion is ignored. |
Conditional Advertisement—Non-Exist—Advertise
Map | Select or create a route map to specify
the routes to advertise in the event that the condition is met (routes
from the Non-Exist Map do not exist in the local BGP RIB). Only
the Match portion of the route map in this field takes effect; the
Set portion is ignored. |
Unsuppress Map | Select or create a route map of routes that
you want to unsupress from route aggregation or route dampening
and thus advertise them. |
Multicast—Inherit from Unicast | (IPv4 AFI only) Select to inherit
the Unicast settings for filtering Multicast routes. Otherwise,
configure multicast filters as described in this table for the Unicast
filters. |