BGP Filtering and Route Metric Support on Service Connections in Prisma Access (Strata Cloud Manager)

1. Log in to Strata Cloud Manager.
2. Navigate to Configuration NGFW and Prisma AccessConfiguration ScopePrisma AccessObjects. From the Objects drop-down, select BGP FilterBGP Filters.

3. On the BGP Filtering Rules page, select either the IPv4 or IPv6 tab to view rules that are already in place.
4. To add a new rule, select Add BGP IPv4 Filtering Rule or Add BGP IPv6 Filtering Rule. When a route matches a rule, the deny or permit action occurs and the route won't be evaluated against subsequent rules.

   1. Give the filtering rule a unique name. The name you provide can be up to 31 characters long.
   2. Define the Match Criteria.
      1. Prefixes: Select Any to match all prefixes, or Define.
         1. Define the IPv4 or IPv6 addresses you want to use, and whether or not each address should be an Exact Match.
         2. Click the plus button to add more addresses. <<Can you use a .csv file? to add addresses?>>
      2. (Optional)<<Is this all OK for SCM? Taken from Panorama configuration>> You can configure one community string per BGP filtering rule. Use regular expression (regex) to add a Community List under Community Strings.
         Here's an example of regex used in BGP filtering in Prisma Access:

         (^|[^0-9])7001:([0-9]+)
         (^|[^0-9])7001:532($|[^0-9])

         If there are multiple communities, each community is separated by a space, and a regex is recommended to match for a specific community in the list.

         If you configure a community list in addition to a matching prefix, you must match both the community list and the matching prefix to enact the rule.

         If you leave the community list field blank, you will match all routes.
   3. Select the Actions: Permit or Deny.
   4. Select Add No-Export Community or Add No-Advertise Community.
      • No-Export Community—Represents well-known community value NO_EXPORT (0xFFFFFF01). Adding this community to a prefix means the receiving BGP peer will advertise the prefix only to iBGP neighbors, not neighbors outside the AS.
        In previous releases, there was an option to set no-export enabled on outbound routes. That functionality is replaced using BGP filter rules. If you had that setting enabled previously, you have a default BGP filter rule with set no-export enabled to replicate this functionality in the Prisma Access 6.0 release.
      • No-Advertise Community—Represents well-known community value NO_ADVERTISE (0xFFFFFF02). Adding this community to a prefix means the receiving BGP peer will place the prefix in its BGP route table, but won’t advertise the prefix to other neighbors.
   5. Save your changes to enable that this filter is available when you select filters for a BGP filter group.