BGP Filtering and Route Metric Support on Service Connections in Prisma Access
Focus
Focus
Prisma Access

BGP Filtering and Route Metric Support on Service Connections in Prisma Access

Table of Contents

BGP Filtering and Route Metric Support on Service Connections in Prisma Access

Create your own BGP policies on service connections in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
Create your own BGP policies on service connections in Prisma Access to can gain precise control over your network's routing behavior. This feature enables you to implement your own customized routing policies, optimize traffic flow, and strengthen your security posture. The Palo Alto Networks implementation of BGP filtering and route metric support integrates with our existing security-focused platform. This integration enables you to use advanced routing capabilities alongside our existing security features, providing a comprehensive solution that combines network optimization with threat prevention. This feature supports both regular and Colo-Connect service connections.
Prisma Access has several hidden internal rules, which are vital to Prisma Access health, and all of which are applied before your custom policy. Perform the following steps to create your customized BGP policies to use with existing Prisma Access BGP policies.

Create a BGP Filter

  1. Log in to Panorama.
  2. Go to PanoramaCloud ServicesConfiguration and select the Service Connection tab.
  3. From the BGP Filtering section, select the Edit control. The BGP Filtering configuration panel opens.
  4. Select BGP Filters and Add to create a new filtering rule. When a route matches a rule, the deny or permit action occurs and the route won't be evaluated against subsequent rules.
    1. Give the filtering rule a unique name. The name you provide can be up to 21 characters long.
    2. Select the Action: Permit or Deny.
    3. Select the Category: IPv4 or IPv6.
    4. (Optional) Enter Matching Prefixes. If you selected the IPv4 category, enter an IPv4 prefix; if you selected the IPv6 category, enter an IPv6 prefix. The Action you chose is applied to each prefix.
      You can configure up to 100 prefixes per rule.
      You can configure multiple prefixes, and only one prefix needs to match to use this rule.
      If you leave the Matching Prefixes field blank, you will match all routes.
    5. Optionally select Prefix Exact Match to have the firewall perform a comparison of both the prefix and prefix length. They must match exactly; otherwise, the firewall determines the match comparison based on whether the route is in the same subnet as the configured prefix.
    6. (Optional) You can configure one community string per BGP filtering rule. Use regular expression (regex) to add a Community List under Community Strings.
      Here's an example of regex used in BGP filtering in Prisma Access:
      (^|[^0-9])7001:([0-9]+) (^|[^0-9])7001:532($|[^0-9])
      If there are multiple communities, each community is separated by a space, and a regex is recommended to match for a specific community in the list.
      If you configure a community list in addition to a matching prefix, you must match both the community list and the matching prefix to enact the rule.
      If you leave the community list field blank, you will match all routes.
    7. (Optional) Under Set, select Add No-Export Community or Add No-Advertise Community.
      • No-Export Community—Represents well-known community value NO_EXPORT (0xFFFFFF01). Adding this community to a prefix means the receiving BGP peer will advertise the prefix only to iBGP neighbors, not neighbors outside the AS.
        In previous releases, there was an option to set no-export enabled on outbound routes. That functionality is replaced using BGP filter rules. If you had that setting enabled previously, you have a default BGP filter rule with set no-export enabled to replicate this functionality in the Prisma Access 6.0 release.
      • No-Advertise Community—Represents well-known community value NO_ADVERTISE (0xFFFFFF02). Adding this community to a prefix means the receiving BGP peer will place the prefix in its BGP route table, but won’t advertise the prefix to other neighbors.
    8. Save your changes to enable that this filter is available when you select filters for a BGP filter group.

Configure a BGP Filter Group

You can associate up to 100 BGP filters with a single BGP filter group. Each BGP filter group can be used across multiple service connections. In some situations, the service connections must have the same groups. For example, if you configure a cloud redundancy managed site, all service connections within the same site group must have the same filter groups attached to them.
BGP filter groups can't be connected on traffic-steering dedicated service connections.
  1. Log in to Panorama.
  2. Go to PanoramaCloud ServicesConfiguration and select the Service Connection tab.
  3. From the BGP Filtering section, select Edit. The BGP Filtering window opens.
  4. Select BGP Filter Groups and Add to associate multiple filters with a new BGP filter group.
    1. Give the filter group a meaningful Group Name.
    2. Configure the direction, Inbound or Outbound, on which the BGP filter is applied.
      Each service connection can have one inbound and one outbound BGP filter group.
    3. Select Add to enable a drop-down with filters you can select. Select as many filters as you want to add to the group. A BGP filter group can have multiple rules; routes are evaluated against the rules in sequential order. When a route matches a rule, the deny or permit action occurs and the route will not be evaluated against subsequent rules.
      Be careful about the rule order in a filter group. If you decide to want to reorder the rules after you associate the filter group with a service connection push the filter group to the firewall, you need to disassociate the filter group from the service connection, reconfigure the filter group with rules in the order you want, and reapply it to the service connection.
    4. After you configure the BGP filter group, apply it to a service connection. Go to Onboarding and select a check box next to a service connection.
    5. Select BGPAttach BGP Filter Groups.
    6. Select one group from the drop-downs next to the Inbound Filter Group and Outbound Filter Group.
    7. Save your changes.