Understanding BGP on Palo Alto Networks Firewalls

Border Gateway Protocol (BGP) is the standard exterior gateway protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. Palo Alto Networks firewalls implement BGP within their Virtual Router instances (or Logical Routers in Advanced Routing mode), allowing them to participate in complex routing environments. This document covers key BGP concepts as implemented on PAN-OS.

This guide primarily uses terminology consistent with the legacy Virtual Router (VR) interface unless otherwise specified. Concepts are generally applicable to the Advanced Routing Engine (ARE) Logical Routers (LR) as well, though configuration paths might differ.

Core BGP Configuration

Location: BGP is configured within a specific Virtual Router instance on the firewall ( Network > Virtual Routers > [Your VR Name] > BGP ). It's not a global device setting.
Mandatory Settings: To enable BGP, you must configure:
- Router ID: A unique 32-bit identifier for the BGP speaker within the AS, typically an IP address on the firewall (often a loopback). Must be unique within the BGP domain.
- Local AS: The Autonomous System number the firewall belongs to.
Enable: The BGP process must be explicitly enabled via a checkbox within the Virtual Router's BGP general settings ( Network > Virtual Routers > [Your VR Name] > BGP > Basic > Enable ).

Peering: eBGP vs. iBGP

Peering is the process of establishing a TCP session (port 179) between two BGP routers to exchange routing information.

eBGP (External BGP): Used for peering between routers in different Autonomous Systems.
- Typically used for connections to ISPs or other organizations.
- Default Administrative Distance (AD) on PAN-OS is 20 (highly trusted).
- By default, assumes peers are directly connected (TTL=1).
iBGP (Internal BGP): Used for peering between routers within the same Autonomous System.
- Used to propagate external routes throughout your own network and maintain consistent exit policies.
- Default AD on PAN-OS is 200 (less trusted than IGPs like OSPF/RIP or static routes).
- Does not assume direct connection; TCP session must be established.
- Subject to the iBGP Split Horizon rule (needs full mesh, Route Reflectors, or Confederations).

Route Advertisement and Filtering

Controlling which routes are learned and advertised is crucial. PAN-OS (especially in legacy VR mode) uses specific profiles and rules:

Redistribution Profiles:
- Used to inject routes learned from other sources (like static routes, OSPF, connected interfaces) into BGP so they can be advertised to peers.
- Found under Network > Virtual Routers > [Your VR Name] > Redistribution Profiles .
- You define a profile, select the source protocols, set default metrics/tags, and optionally apply a Route Map for fine-grained control.
Export Rules (Peer Group Level):
- Control which routes from the firewall's BGP table are advertised out to specific BGP peers or peer groups.
- Applied under Network > Virtual Routers > [Your VR Name] > BGP > Peer Group > [Group Name] > Export Rules .
- Filters (using "Match") can target prefixes (via Prefix List), AS paths, communities, etc.
- Action is typically "Allow" or "Deny". The first matched rule applies.
- Can also set attributes (like MED, community, AS Path Prepend) on exported routes using the "Action" part.
Import Rules (Peer Group Level):
- Control which routes received from BGP peers are accepted into the BGP table and potentially installed into the firewall's main routing table (RIB).
- Applied under Network > Virtual Routers > [Your VR Name] > BGP > Peer Group > [Group Name] > Import Rules .
- Filters ("Match") are similar to Export rules.
- Action is typically "Allow" or "Deny".
- Can also set attributes influencing local path selection (like Weight, Local Preference) on imported routes.
Conditional Advertisement:
- A specific type of Export rule that allows advertising a prefix *only if* another specified prefix (the "non-suppress-filter" or "exist map" equivalent) exists in the firewall's BGP table or main RIB.
- Configured within an Export Rule by enabling "Conditional Adv" and selecting the filter matching the dependency route.
- Useful for advertising connectivity based on the availability of an underlying path.

Note on Order: For incoming routes, Dampening (if configured globally) is applied first, followed by Import Rules. For outgoing routes, Export Rules determine what is sent based on routes eligible in the BGP table (after import and redistribution).

Understanding the difference between Import (filtering/modifying received routes) and Export (filtering/modifying advertised routes) is critical for exam scenarios involving BGP policy.

BGP Peer Groups

Configuring multiple BGP peers, especially those with similar characteristics (like multiple peers within the same neighboring AS or multiple iBGP peers), can become repetitive. Peer Groups simplify this process significantly.

Purpose: To group multiple BGP neighbors that share identical configuration parameters.
Mechanism: You define a peer group template with common settings (e.g., peer type [iBGP/eBGP], remote AS, update source, timers, import/export rules, authentication). Then, you assign individual peer IP addresses to this group.
Benefits:
- Reduces Configuration Complexity: Avoids repeating the same parameters for each peer.
- Improves Performance: The firewall can generate and send BGP updates more efficiently for members of the same group.
- Easier Management: Changes applied to the peer group template automatically propagate to all member peers.
Configuration Location: Network > Virtual Routers > [VR Name] > BGP > Peer Group

BGP Multihop

By default, eBGP peers expect to be directly connected (sharing the same subnet), meaning the neighbor IP address should be reachable in one Layer 3 hop (TTL=1). iBGP does not have this direct connection requirement, but the TCP session still needs to establish.

Purpose: To allow BGP sessions to establish between peers that are *not* directly connected (separated by one or more intermediate routers).
Mechanism: You configure the BGP peering with a Time-To-Live (TTL) value greater than 1. This allows the TCP packets forming the BGP session to traverse the necessary number of router hops without being discarded due to TTL expiry.
Common Use Cases:
- iBGP: Very common when iBGP peers within an AS are connected via multiple Layer 3 devices (e.g., peering between loopback interfaces). You typically set a reasonably high TTL (e.g., 64, 255).
- eBGP: Less common but possible in specific scenarios (e.g., peering across a Layer 2 transport service where direct connection isn't feasible, certain IXP setups). Requires careful consideration of security and reachability. For eBGP multihop, you usually also need to disable the next-hop reachability check or use static routes, as the default check might fail.
Configuration Location: Within the specific peer configuration under Network > Virtual Routers > [VR Name] > BGP > Peer Group > [Group Name] > Peer > [Peer Name] > Connection Options > Multihop . You specify the TTL value here.

Important: When using multihop, especially for iBGP peering between loopback interfaces, ensure you have underlying IGP (like OSPF) or static routes providing reachability between those loopback addresses.

BGP Attributes and Path Selection Overview

BGP uses attributes carried within Update messages to learn about network reachability and select the best path when multiple paths to the same destination exist. Understanding the key attributes and the order they are evaluated in is fundamental.

Knowing the main attributes and their preference order (Weight -> LP -> AS_PATH -> Origin -> MED -> etc.) is essential for the exam.

Weight: Palo Alto/Cisco specific, locally significant only (not advertised). Highest weight preferred. Useful as a first-check preference on a single router.
Local Preference: Used within an AS to choose the exit point. Higher is better. Standard mechanism for outbound traffic engineering. Default 100.
Locally Originated: Routes injected via `network` or redistribution are preferred over learned routes.
AS_PATH: List of ASes traversed. Shorter path length is preferred. Primary attribute for loop prevention and often for basic path selection.
Origin Code: How the route entered BGP. Order of preference: IGP (i) > EGP (e) > Incomplete (?).
MED (Multi-Exit Discriminator): Suggests entry point preference to a neighbor AS. Lower is better. Compared only among paths from the *same* neighboring AS by default.
eBGP vs iBGP: eBGP learned routes are preferred over iBGP learned routes.
IGP Metric to Next-Hop: If multiple paths tie up to this point, prefer the path whose BGP next-hop is closest according to the internal IGP metric.
(ECMP): If enabled, multiple paths that are equal up to the IGP metric check can be used simultaneously.
Oldest Path / Stability: Prefer the most stable (oldest) eBGP path.
Router ID: Lowest BGP Router ID of the advertising peer is preferred.
Neighbor IP Address: Lowest neighbor IP address is preferred.

BGP Best Path Selection Process

When a BGP router receives multiple paths for the same network prefix, it runs a deterministic algorithm to select a single "best" path to install in its routing table and advertise to peers. The process stops as soon as one path is determined to be better than the others based on the current step.

Discard paths where the N ext-Hop is inaccessible (cannot be resolved in the RIB).
Prefer highest W eight (Palo Alto/Cisco specific, local significance).
Prefer highest L ocal Preference (Highest is better, AS-wide).
Prefer path locally O riginated (network, redistribute, aggregate).
Prefer path with shortest A S_PATH length.
Prefer path with lowest O rigin code (IGP < EGP < Incomplete).
Prefer path with lowest M ED (Multi-Exit Discriminator) - requires comparison between paths from the same neighboring AS by default.
Prefer E BGP paths over IBGP paths.
Prefer path with the lowest I GP metric to the BGP next-hop router.
(If ECMP is enabled and configured) Mark multiple paths as eligible for M ultipath load sharing if they are equal up to step 9.
Prefer the oldest (most stable) E BGP path.
Prefer path from the BGP peer with the lowest Router ID .
Prefer path from the BGP peer with the lowest neighbor IP address.

Key Takeaway: Steps higher in the list are more significant. A path chosen because it has a higher Local Preference (Step 3) will win, even if another path has a shorter AS_PATH (Step 5).

Route Selection Mnemonic

Remembering the order can be tricky. Here's a mnemonic (adapt or create your own!):

N o W ay L azy O ld A nts O ften M ake E xcellent I nternet M aps, E xcept R arely I n P aris!

( N ext-Hop, W eight, L ocal Pref, O riginated Locally, A S_PATH, O rigin Code, M ED, E BGP>IBGP, I GP Metric, M ultipath(ECMP), E BGP Age, R outer ID, Neighbor IP )

BGP Attribute: Weight

Understanding the Impact of Setting BGP Weight

The BGP Weight attribute is a vendor-specific parameter (supported by Cisco, Palo Alto Networks, and others, but not part of the BGP standard RFCs) used to influence path selection on a single, local router . It provides a simple way to prefer one path over another *before* considering more standard BGP attributes.

Primary Goal: To influence OUTBOUND Traffic Preference on the LOCAL ROUTER ONLY .
Mechanism:
- Weight is a numerical value assigned locally on the router where BGP paths are being evaluated.
- Higher weight values are more preferred .
- It is configured via local policy (e.g., Import Rules on Palo Alto, route maps on Cisco) applied to routes learned from specific neighbors.
- Crucially, Weight is locally significant only ; it is **NOT** advertised or propagated to any other BGP peers (neither iBGP nor eBGP).
Effect on Traffic:
- Outbound Flow (Local Router): If a router learns multiple paths to the same destination, it will prefer the path with the highest Weight value *before* considering any other standard BGP attributes like Local Preference or AS Path length. This directly controls the outbound path choice *for traffic processed by that specific router*.
- Outbound Flow (AS-Wide): Because Weight is not advertised, it has NO effect on the path selection decisions of other routers within your AS. Different routers might choose different paths if they don't have consistent Weight settings (or if Weight isn't the deciding factor).
- Inbound Flow: Setting Weight locally has NO impact whatsoever on how external networks choose to send traffic *into* your network.
Key Considerations:
- Weight is the very first attribute checked in the BGP Best Path Selection algorithm (after checking next-hop reachability) on platforms that support it, making it the most powerful *local* influence.
- Its primary use case is often to prefer a specific path learned directly on an edge router without needing to configure AS-wide policies like Local Preference immediately.
- Because it's not propagated, using Weight alone can lead to inconsistent routing policies or potential routing loops within your AS if not carefully managed. Local Preference is generally preferred for consistent AS-wide outbound policy.
- On Palo Alto firewalls, routes originated locally (via network statement or redistribution) are assigned a default weight of 32768 . Routes learned from peers have a default weight of 0 unless modified by an Import rule.

In Summary: Use Weight for strong local outbound preference on a single router. Use Local Preference for consistent AS-wide outbound preference . Use MED/Prepending to influence inbound preference .

Diagram illustrating BGP Weight. Router A assigns higher weight to routes from Peer C, making it the preferred outbound path. Weight is a local attribute and is not shared with peers.

BGP Attribute: Local Preference

Understanding the Impact of Setting Local Preference

Setting BGP Local Preference (LP) is the standard and most effective method used *within* an Autonomous System (AS) to control outbound path selection. It allows an administrator to define which exit point the entire AS should prefer for traffic destined for external networks.

Primary Goal: To influence OUTBOUND Traffic Preference (AS-Wide).
Mechanism:
- Local Preference is a well-known, discretionary BGP attribute, significant *only within* your local AS (it's passed between iBGP peers but not typically advertised to eBGP peers).
- It's a numerical value where higher values are more preferred . The default value on most platforms (including Palo Alto) is 100 .
- You typically set the Local Preference using an Import Rule (or route policy) applied to routes as they are *received* from your eBGP neighbors (e.g., your ISPs).
- When an edge router learns routes from an external peer and applies a higher LP, it advertises this route with the higher LP to its iBGP neighbors within the AS.
- All iBGP routers within the AS will compare the LP values for routes to the same destination and will prefer the path associated with the highest LP value.
Effect on Traffic:
- Outbound Flow: This directly controls which link *your AS* uses to send traffic *out* towards external destinations. If routes learned via ISP-A have LP 200 and routes learned via ISP-B have LP 100, your internal routers will choose the path via ISP-A to send traffic.
- Inbound Flow: Setting Local Preference *within your AS* has NO direct impact on how external networks (like your ISPs or other ASes) choose to send traffic *into* your network. External peers do not see or typically care about your internal LP settings.
Key Considerations:
- Local Preference is evaluated very early in the BGP Best Path Selection algorithm (typically after Weight, if used), making it a very powerful and decisive factor.
- It provides a consistent exit path policy across your entire AS (assuming LP is propagated correctly via iBGP).
- It's the standard method for designating primary and backup internet connections for *outbound* traffic.

In Summary: Set Local Preference (via Import Rules on received routes) to control how your AS exits towards external networks (Outbound). Use MED or AS Path Prepending (via Export Rules on advertised routes) to influence how others enter your network (Inbound).

BGP Attribute: MED (Multi-Exit Discriminator)

Understanding the Impact of Changing Advertised MED

Modifying the MED (Multi-Exit Discriminator) value you send in your BGP advertisements is a specific technique used for traffic engineering. It's crucial to understand which direction of traffic flow it influences.

Primary Goal: To influence INBOUND Traffic Preference (How others enter your AS).
Mechanism:
- You configure an Export Rule on your firewall to set a specific MED value on routes advertised TO an eBGP neighbor (e.g., ISP-A).
- MED is an optional, non-transitive attribute; lower values are considered more preferable by default.
- If your neighbor (ISP-A) has multiple connections to your AS and receives your advertisements over these connections, they *should* compare the MED values received *from you* for the same prefix.
- ISP-A will prefer the path associated with the lowest MED value to send traffic back TO your network.
Effect on Traffic:
- Inbound Flow: You are providing a hint or suggestion to your neighbor about which link *they* should prefer when sending traffic *into* your AS. By advertising a lower MED on Link 1 and a higher MED on Link 2 (both to the same neighbor), you make Link 1 the preferred entry point *from that neighbor's perspective*.
- Outbound Flow: Changing the MED you *advertise* has NO direct impact on how *your* firewall selects the best path to send traffic *out* to external networks. Your outbound path choice is determined by evaluating attributes (like Local Preference, AS Path) on routes you *receive* from your neighbors.
Key Considerations:
- MED is most reliably effective when influencing preference between multiple links connecting your AS to the SAME adjacent AS .
- The neighboring AS must be configured to compare and honor MED values received from peers. Not all ISPs do, or they may only do it under specific peering agreements. ( Always Compare MED setting on the receiving router can force comparison across different peer ASNs, but is less common).
- MED is lower in the BGP best-path selection order compared to Local Preference and AS Path Length.

In Summary: Advertise MED to influence how others enter your network (Inbound). Use Local Preference (on received routes) to influence how you exit your network (Outbound).

Yes, the diagram is accurate in illustrating the primary and intended use case of the BGP MED attribute, even considering its non-transitive nature.

Here's why:

MED's Purpose: The MED attribute is specifically designed to influence how an adjacent Autonomous System (AS) chooses between multiple entry points into your AS .
Non-Transitive Explained: The term "non-transitive" means that when AS 100 (the ISP Router) receives route advertisements with MED values from AS 65000 (Edge Routers R1 and R2), it uses those MED values for its own path selection process. However, when AS 100 subsequently re-advertises the chosen route (192.168.0.0/16 via R1) to its other BGP neighbors (like the network potentially hosting the External Client), it should not include the original MED value it received from AS 65000 . The MED attribute is typically "stripped" or removed before being passed to another AS.
What the Diagram Shows:
- AS 65000 correctly sends different MED values to its direct neighbor, AS 100 , over its two links.
- AS 100 correctly compares these received MED values (as they originate from the same neighboring AS, AS 65000 ) and selects the path with the lower MED (via R1) as preferable. This decision directly impacts how AS 100 sends traffic back towards AS 65000 .
- The diagram shows AS 100 advertising the route onwards (indicated by the dotted line). Crucially, it does not explicitly state that the MED=50 is included in this *onward* advertisement. It simply depicts the necessary route propagation for reachability.
- The diagram accurately illustrates the consequence of AS 100 's decision: traffic originating from the External Client is directed by AS 100 towards Edge Router R1, precisely because AS 100 preferred the lower MED path.

In conclusion: The diagram accurately depicts the MED attribute influencing the inbound path selection of the directly connected ISP ( AS 100 ). It correctly shows the *effect* of the MED comparison (traffic routing via R1) without incorrectly implying that the MED attribute itself is transitively passed to further, non-adjacent ASes.

Attribute Types: Transitive vs. Non-Transitive

BGP attributes carry information about routes, influencing path selection. They are categorized based on whether BGP routers are required to pass them along to other peers, especially if the router doesn't fully understand or implement the specific attribute. This is crucial for ensuring information propagates correctly across different Autonomous Systems.

Transitive Attributes

Definition: An attribute that SHOULD be passed along (remain with the route update) even by BGP speakers that do not recognize the attribute type code.
Purpose: To ensure that path information or policy signaling intended for downstream ASes reaches them, even if intermediate ASes don't actively use that specific information.
Propagation: If a router receives a route with an unrecognized transitive attribute, it should mark the update as having a "partial" understanding but still forward the attribute unchanged to its peers.
Types:
- Well-known Transitive: Must be recognized by all BGP implementations and passed along (e.g., AS_PATH , NEXT_HOP ).
- Optional Transitive: Not required to be recognized by all implementations, but if received, *should* be passed along if unrecognized (e.g., COMMUNITY , AGGREGATOR ).
Analogy: Think of it like a package with special handling instructions written on it. Even if an intermediate mail carrier doesn't know what the instructions mean, they are obligated to keep the instructions attached to the package as it moves towards its destination.

Non-Transitive Attributes

Definition: An attribute that MUST be discarded if the receiving BGP speaker does not recognize the attribute type code.
Purpose: Used for signaling that is generally only relevant between directly adjacent ASes or within a single AS. There's no requirement for this information to propagate further if it's not understood.
Propagation: If a router receives a route with an unrecognized non-transitive attribute, it simply removes that attribute before advertising the route to other peers.
Types:
- Optional Non-Transitive: Always optional (cannot be well-known). If unrecognized, it's discarded. If recognized, the router processes it according to its local policy. (e.g., MED - Multi-Exit Discriminator , ORIGINATOR_ID - used by Route Reflectors).
Analogy: Think of it like a sticky note attached to a package meant only for the very next person handling it. If that person doesn't understand the note, they just remove it and pass the package along without it.

Significance: This distinction is fundamental to how BGP operates across the diverse implementations on the internet. Transitivity ensures essential path information (like AS_PATH) and widely used optional information (like Communities) can traverse ASes that might not have the latest BGP features, while non-transitivity prevents misunderstood or locally-relevant information (like MED) from propagating unnecessarily.

Common BGP Scenarios & Traffic Engineering

Scenario: Influencing Outbound Traffic (Your Egress Choice)

Goal: Control which ISP or path your internal users take to reach external destinations.

Primary Tool: Local Preference (LP) . Set via Import Rules on routes learned from peers. Higher LP is preferred.

Mechanism: By assigning a higher LP value (e.g., 200) to routes learned from your preferred ISP (ISP-A) compared to the backup ISP (ISP-B, default 100), you tell all routers within your AS to use ISP-A as the exit point when both paths are available.

What to Look For: The question asks how to make *your network* prefer one path *out* over another. It involves comparing routes *received* from different peers and applying policy as routes enter your AS.

1. Scenario Setup & Topology

Let's define our example network:

Your Network: AS 65000
Internal Client: 10.1.1.50 (inside AS 65000)
Internal Router (iBGP): Rtr-Internal (learns routes via iBGP)
Edge Router A (Primary): Rtr-EdgeA (connects to ISP-A)
Edge Router B (Backup): Rtr-EdgeB (connects to ISP-B)
ISP-A (Primary Link): AS 100
ISP-B (Backup Link): AS 200
External Destination: Server 8.8.8.8 (represents any external network)

Topology Diagram (Mermaid Graph)

Network topology showing AS 65000 with two ISP connections.

2. Mechanism Explained Step-by-Step

Route Advertisement: Both ISP-A and ISP-B learn routes to the external internet, including the destination 8.8.8.8 , and advertise these routes via eBGP to your edge routers ( Rtr-EdgeA and Rtr-EdgeB , respectively).
Receiving Routes & Applying Policy:
- Rtr-EdgeA receives the route to 8.8.8.8 from ISP-A.
- An Import Rule configured on Rtr-EdgeA specifically for routes from ISP-A (AS 100) matches this incoming route.
- The action in this Import Rule is to set the Local Preference attribute to 200 (a high value, indicating preference).
- Rtr-EdgeB receives the route to 8.8.8.8 from ISP-B.
- A separate (or default) Import Rule on Rtr-EdgeB applies to routes from ISP-B (AS 200).
- This rule sets the Local Preference attribute to 100 (the default, or explicitly a lower value).
iBGP Propagation:
- Rtr-EdgeA advertises the route to 8.8.8.8 to its internal iBGP neighbor ( Rtr-Internal ), including the attribute Local Preference = 200 .
- Rtr-EdgeB advertises the route to 8.8.8.8 to Rtr-Internal , including the attribute Local Preference = 100 .
Internal Router Decision:
- Rtr-Internal now has two different iBGP paths to reach 8.8.8.8 : one via Rtr-EdgeA (LP=200) and one via Rtr-EdgeB (LP=100).
- Rtr-Internal executes the BGP Best Path Selection algorithm. Local Preference is evaluated very early (usually just after Weight, if used).
- It compares the LP values: 200 > 100 .
- Rtr-Internal selects the path learned from Rtr-EdgeA as the best path because it has the higher Local Preference.
Routing Table Installation: Rtr-Internal installs the route to 8.8.8.8 in its main routing table (RIB) with Rtr-EdgeA as the next hop.

3. Visualizing the Mechanism (Sequence Diagram)

This diagram shows the interactions and the flow of BGP information leading to the path selection and subsequent traffic flow.

Sequence of BGP updates, Local Preference setting, internal decision, and traffic flow.

4. Visualizing the Decision Logic (Flowchart)

This flowchart illustrates the simplified decision process within Rtr-Internal when Local Preference is the deciding factor.

Flowchart showing the decision process within Rtr-Internal based on Local Preference.

5. Visualizing the State (State Diagram)

This state diagram shows the resulting state of the route for 8.8.8.8 within Rtr-Internal after the BGP decision process.

State diagram illustrating the final selected path and the non-selected path for the route within Rtr-Internal.

6. Traffic Flow Explained

As shown in Phase 2 of the Sequence Diagram:

The Client (10.1.1.50) sends a packet destined for the Server (8.8.8.8).
The packet arrives at Rtr-Internal .
Rtr-Internal performs a route lookup in its Routing Information Base (RIB).
Based on the BGP decision (highest Local Preference), the best path to 8.8.8.8 points towards Rtr-EdgeA .
Rtr-Internal forwards the packet to Rtr-EdgeA .
Rtr-EdgeA forwards the packet out of AS 65000 towards its eBGP peer, ISP-A .
The traffic successfully exits via the preferred primary link.

7. Key Takeaways & Summary

Control Direction: Local Preference controls OUTBOUND traffic flow for your entire AS.
Configuration Point: Set using IMPORT Rules on edge routers as routes are received from eBGP peers.
Preference: HIGHER Local Preference values are preferred. Default is 100.
Scope: The attribute is passed between iBGP peers within your AS but NOT to eBGP peers outside your AS.
Result: Provides a consistent, AS-wide policy for selecting the primary exit path.
Inbound Impact: Setting LP has NO direct effect on how external networks choose to send traffic into your AS.

8. Conceptual Configuration Snippets (Palo Alto - Legacy VR Style)

On Rtr-EdgeA (Peer Group for ISP-A)

Virtual Router: [Your VR Name]
 BGP > Peer Group > [Group ISP-A]
  Type: EBGP
  Peer AS: 100
  Enable Peer: Yes
  Address Family: IPv4 Unicast

  Import Rules > Add Rule: "Prefer_ISP-A"
   Enable: Yes
   Used By: [Peer ISP-A-IP]
   Match:
     Route Table: Unicast
     (Optional: Match specific prefixes if needed)
   Action: Allow
     Local Preference: 200  <--- Key Setting (Higher Value)

On Rtr-EdgeB (Peer Group for ISP-B)

Virtual Router: [Your VR Name]
 BGP > Peer Group > [Group ISP-B]
  Type: EBGP
  Peer AS: 200
  Enable Peer: Yes
  Address Family: IPv4 Unicast

  Import Rules > Add Rule: "Default_ISP-B"
   Enable: Yes
   Used By: [Peer ISP-B-IP]
   Match:
     Route Table: Unicast
     (Match all, or specific prefixes)
   Action: Allow
     Local Preference: 100  <--- Key Setting (Default or Lower Value)

This comprehensive example, using text and multiple diagram types, should clearly illustrate how Local Preference works to control outbound BGP traffic routing.

Common BGP Scenarios & Traffic Engineering

Scenario: Influencing Inbound Traffic (Neighbor's Ingress Choice)

Goal: Control which of your links external networks use to send traffic *to* your network.

Primary Tools:

AS Path Prepending: Set via Export Rules towards the *less* preferred peer(s). Shorter path length is preferred globally. Make the path look longer via the link you *don't* want traffic to enter through.
MED (Multi-Exit Discriminator): Set via Export Rules . Lower MED is preferred. Primarily effective between you and a *single adjacent AS* with multiple links between you. Less reliable globally.

Mechanism (Prepend): You advertise your prefixes to the backup ISP (ISP-B) with your AS number repeated several times (e.g., 65000 65000 65000 ). External networks see this longer path and prefer the shorter path advertised via your primary ISP (ISP-A, e.g., 65000 ).

Mechanism (MED): Advertise your prefix to the same neighbor ISP over two links, setting MED 100 on the primary link and MED 200 on the backup link. The neighbor ISP (if they honor MED) will prefer the link where they received the lower MED.

What to Look For: The question asks how to make *other networks* prefer sending traffic *to you* via one link over another. It involves modifying attributes on routes you *advertise*. Look for keywords like "inbound," "attract," "less preferred entry point."

Common BGP Scenarios & Traffic Engineering

Scenario: Using BGP Communities for Policy

Goal: Tag routes with specific values to signal policy intentions to BGP peers (or for internal use).

Primary Tool: Community Attribute (Optional Transitive). Set via Export Rules , matched via Import/Export Rules.

Mechanism: You attach a specific community value (e.g., well-known like no-export (FFFF:FF01), no-advertise (FFFF:FF03), local-as (FFFF:FF04) or custom values like `ASN:Value`) to a route advertisement. The receiving peer, if configured to recognize that community, performs a specific action (e.g., does not advertise the route further to eBGP peers, sets a specific local preference).

What to Look For: The question mentions tagging routes, signaling actions to peers, or preventing propagation based on agreed-upon signals/tags.

BGP NO-EXPORT
The no-export community is a well-known BGP attribute that instructs routers not to advertise the associated route to external BGP (eBGP) peers. This ensures that the route remains within the local AS or confederation, preventing its propagation to other ASes.

BGP NO-ADVERTISE
The no-advertise community is a well-known BGP attribute that instructs routers not to advertise the associated route to any BGP peers, including both internal (iBGP) and external (eBGP) peers. This confines the route to the local router

BGP local-as
The local-as community is a well-known BGP attribute used within BGP confederations. It prevents the advertisement of the associated route to peers outside the local sub-AS within the confederation.

Common BGP Scenarios & Traffic Engineering

Scenario: Conditional Route Advertisement

Goal: Advertise a prefix only if a specific condition is met, typically the existence of another route.

Primary Tool: Conditional Advertisement feature within Export Rules , using a filter (Prefix List or Route Map) defined as the "Non-Suppress Filter" (legacy VR term) or "Exist Map" (ARE term) .

Mechanism: You configure an Export Rule to allow advertisement of Prefix A. Within the rule, you enable Conditional Advertisement and select a filter that matches Prefix B. The firewall checks its routing table (BGP table or RIB depending on implementation details); if Prefix B exists and matches the filter, Prefix A is advertised. If Prefix B is not present or doesn't match, Prefix A is withdrawn or not advertised.

What to Look For: The question states a requirement to advertise something *only if* something else is present (e.g., advertise my network only if I have a default route, advertise a specific prefix only if the path via another ISP is down).

Comprehensive Example: BGP Conditional Route Advertisement

Goal: To advertise a specific BGP prefix (Prefix A) to a neighbor only if another specific prefix (Prefix B, the condition) exists in the local router's routing table (RIB or BGP table). This prevents advertising reachability for a network if the underlying path or dependency needed to actually use that advertised route is missing.

Primary Tool:

Conditional Advertisement Feature: Enabled within BGP Export Rules .
Condition Filter/Map: A Prefix List or Route Map used to identify the conditional prefix (Prefix B). PAN-OS legacy VRs call this the "Non-Suppress Filter"; ARE Logical Routers use the term "Exist Map".

Core Concept: It creates a dependency: Route A's advertisement depends on Route B's presence.

1. Scenario Setup & Topology

Let's define our example network:

Your Network: AS 65000
Your Router: Rtr-Mine (in AS 65000)
Your Internal Network (Prefix A): 192.168.10.0/24 (This is the prefix we want to advertise conditionally).
Primary ISP: AS 100 ( ISP-A ) - Provides the default route.
Conditional Route (Prefix B): 0.0.0.0/0 (Default Route learned from ISP-A).
Peer Network: AS 300 ( Peer-Z ) - The neighbor we want to conditionally advertise Prefix A to.

Goal: Rtr-Mine should only advertise 192.168.10.0/24 to Peer-Z (AS 300) if it has a valid default route ( 0.0.0.0/0 ) learned from ISP-A (AS 100) installed in its routing table.

Topology Diagram (Mermaid Graph)

Network topology for conditional advertisement example.

2. Mechanism Explained Step-by-Step

Configure Potential Advertisement: Rtr-Mine is configured to potentially advertise its internal network 192.168.10.0/24 (Prefix A). This might be via a network statement or redistribution.
Configure Export Policy to Peer-Z: An Export Rule is created on Rtr-Mine specifically for the peering session with Peer-Z (AS 300).
- This rule matches Prefix A ( 192.168.10.0/24 ).
- The action is set to Allow .
Enable Conditional Advertisement: Within this Export Rule, the "Conditional Advertisement" option is enabled.
Define the Condition: A "Non-Suppress Filter" (or "Exist Map") is selected within the Conditional Advertisement settings. This filter is configured to match Prefix B ( 0.0.0.0/0 ). Crucially, you can often make this filter more specific, e.g., match 0.0.0.0/0 only if learned from AS 100, or only if it's the active route in the RIB. For simplicity here, we'll assume it checks for any active 0.0.0.0/0 in the RIB.
Runtime Check (Condition Met):
- Rtr-Mine establishes a BGP session with ISP-A and learns the default route 0.0.0.0/0 .
- This default route is installed as the active route in Rtr-Mine 's RIB.
- When Rtr-Mine evaluates the Export Rule towards Peer-Z , it checks the condition: "Does a route matching the Non-Suppress Filter ( 0.0.0.0/0 ) exist and is active?".
- The check passes (Yes).
- Rtr-Mine proceeds with the rule's action ( Allow ) and advertises Prefix A ( 192.168.10.0/24 ) to Peer-Z .
Runtime Check (Condition Lost):
- The connection to ISP-A fails, or ISP-A withdraws the default route.
- The 0.0.0.0/0 route is removed from Rtr-Mine 's RIB (or becomes inactive).
- When Rtr-Mine re-evaluates the Export Rule towards Peer-Z , it checks the condition again: "Does 0.0.0.0/0 exist and is active?".
- The check fails (No).
- Rtr-Mine suppresses the advertisement of Prefix A. If Prefix A was previously advertised, Rtr-Mine sends a BGP Withdraw message for 192.168.10.0/24 to Peer-Z .

3. Visualizing the Logic (Flowchart)

This flowchart shows the decision process within Rtr-Mine when deciding whether to advertise Prefix A to Peer-Z.

Flowchart for conditional advertisement logic on Rtr-Mine.

4. Visualizing the Dynamics (Sequence Diagram)

This shows the sequence of events, including the condition changing.

Sequence diagram showing advertisement and withdrawal based on the condition.

5. Visualizing the State (State Diagram)

This shows the state of the advertisement of Prefix A to Peer-Z , dependent on the presence of Prefix B.

State diagram for the advertisement of Prefix A based on the state of Prefix B.

6. Traffic Flow Impact

When Condition is Met (Default Route Exists):
- Rtr-Mine advertises 192.168.10.0/24 to Peer-Z .
- Peer-Z installs the route and can potentially send traffic destined for 192.168.10.0/24 towards Rtr-Mine .
- This is desirable because Rtr-Mine has a path (the default route) to forward return traffic or other necessary traffic towards the internet.
When Condition is Not Met (Default Route Lost):
- Rtr-Mine withdraws 192.168.10.0/24 from Peer-Z .
- Peer-Z removes the route via Rtr-Mine . It will *not* send traffic for 192.168.10.0/24 to Rtr-Mine (it might use another path if available, or consider the destination unreachable).
- This prevents Peer-Z from sending traffic into a potential "black hole" in AS 65000, as Rtr-Mine currently lacks its own path to the wider internet.

7. Key Considerations & Use Cases

RIB vs. BGP Table Check: Implementations vary. Some check the main Routing Information Base (RIB) for the active condition route, while others might check the BGP Loc-RIB. Understanding your platform's specific behavior is important. PAN-OS generally checks the RIB.
Condition Route Stability: If the conditional route (Prefix B) flaps frequently, the dependent route (Prefix A) will also flap, potentially causing instability for peers.
Specificity of Filter: Make the "Non-Suppress Filter" / "Exist Map" as specific as needed. Matching any default route might not be desired if you only want to advertise when the *primary* default route is up.
Common Uses:
- Advertising your network only when you have a valid default route from your ISP.
- Advertising a specific customer prefix only when the direct link to that customer is up.
- In multi-homed scenarios, advertising prefixes out via ISP-B *only if* the path via ISP-A is unavailable (by making the condition the *absence* of a route learned from ISP-A, using an "Advertise Filter" or "non-exist map" if supported, though the primary mechanism usually checks for *existence*).

8. Conceptual Configuration Snippet (Palo Alto - Legacy VR Style)

Virtual Router: [Your VR Name]
 BGP > Peer Group > [Group Peer-Z]
  Type: EBGP
  Peer AS: 300
  Enable Peer: Yes
  Address Family: IPv4 Unicast

  Export Rules > Add Rule: "Adv_MyNet_Conditionally"
   Enable: Yes
   Used By: [Peer Peer-Z-IP]

   Match > Route Table: Unicast
   Match > Prefix List: [Select Prefix List matching 192.168.10.0/24]

   Action: Allow

   Conditional Adv > Enable: Yes   <--- Enable the feature
   Conditional Adv > Non-Suppress-Filter: [Select Filter matching 0.0.0.0/0] <--- Define condition

(You would need to define the Prefix List for 192.168.10.0/24 and the Filter (often another Prefix List) for 0.0.0.0/0 separately under Network > Route Filters or equivalent)

9. Summary

Conditional Advertisement provides a powerful mechanism to tie the advertisement of one route to the presence of another. It's configured via Export Rules, using a filter to check for the conditional route's existence in the router's table. This is primarily used to prevent advertising reachability when the necessary underlying connectivity is missing, thus avoiding traffic black holes and improving routing stability.

Common BGP Scenarios & Traffic Engineering

Scenario: Overriding BGP for Specific Traffic/Prefixes

Goal: Force traffic for a specific destination or traffic originating from the firewall itself down a path different from the BGP best path.

Primary Tools:

Static Routes: With a lower Administrative Distance (AD) than BGP (eBGP=20, iBGP=200). Default static route AD is 10.
Policy Based Forwarding (PBF): Can override routing table for specific flows based on source/destination/port etc. (Beyond BGP attributes, acts on traffic flow).
Import Rules: Setting high Local Preference or Weight for *specific* learned prefixes.

Mechanism (Static): A static route with AD 10 will always be preferred over an eBGP route (AD 20) or iBGP route (AD 200) for the same prefix, useful for forcing firewall-originated traffic or specific destination traffic down a non-BGP path.

Mechanism (Import LP/Weight): Make a specific prefix learned via a normally non-preferred path more attractive using a higher LP or Weight just for that prefix via an Import Rule.

What to Look For: The question involves overriding the normal BGP decision, handling specific destinations differently, or controlling traffic *from the firewall*. Mention of Administrative Distance often points towards Static Routes. Mention of specific application/port/source traffic points towards PBF.

iBGP Scalability: Confederations vs. Route Reflectors

The iBGP split-horizon rule (routes learned from one iBGP peer are not advertised to another iBGP peer) necessitates a full mesh of connections between all iBGP speakers within an AS. This doesn't scale well in large networks. Two primary solutions exist:

Route Reflectors (RR): (Often preferred for simplicity)
- An RR is an iBGP speaker allowed to break the split-horizon rule.
- It reflects routes learned from one iBGP client peer to other iBGP client peers.
- Clients only need to peer with the RR(s), drastically reducing the number of iBGP sessions required.
- RRs introduce attributes like ORIGINATOR_ID and CLUSTER_LIST to prevent loops within the reflection topology.
Confederations:
- Purpose: To divide a single large AS into multiple smaller, private sub-ASes (confederation members).
- Mechanism:
  - Within each sub-AS, a full mesh of iBGP peers (or Route Reflectors) is still required, but the mesh size is much smaller.
  - Peering *between* sub-ASes uses a modified form of eBGP (often called "Confederation eBGP" or EBGP).
  - Crucially, when routes cross sub-AS boundaries, BGP attributes like NEXT_HOP, MED, and Local Preference are preserved as if it were iBGP, unlike standard eBGP.
  - To the outside world (peers external to the confederation), the entire collection of sub-ASes still appears as the single, original public AS number. The sub-AS numbers are stripped from the AS_PATH when advertised externally.
- Complexity: Generally considered more complex to design and configure than Route Reflectors.
- Configuration Location: Sub-AS definition under Network > Virtual Routers > [VR Name] > BGP > Basic ; peer configuration specifies the peer's sub-AS.

Route Reflectors significantly reduce the number of required iBGP sessions compared to a full mesh.

Operational Aspects

BGP States: Indicate the status of a peer session:
- Idle : Initial state, no resources allocated.
- Connect : Attempting to establish TCP connection (Client role).
- Active : TCP connection failed, trying again (Server role, listening).
- OpenSent : TCP established, OPEN message sent, waiting for peer's OPEN.
- OpenConfirm : OPEN received, waiting for KEEPALIVE or NOTIFICATION.
- Established : Peering successful, UPDATE messages can be exchanged. This is the desired state.
Timers:
- Keep Alive Interval: How often Keepalive messages are sent (Default: 30 seconds).
- Hold Time: How long a router waits for a Keepalive or UPDATE from a peer before declaring it down (Default: 90 seconds, typically 3x Keepalive). Must be negotiated; the lower value proposed by either peer is used.
High Availability (HA): In an Active/Passive setup, only the Active firewall establishes and maintains BGP sessions. Configuration is synchronized, allowing the Passive firewall to take over quickly if failover occurs. BGP Graceful Restart can help minimize disruption during failover if supported by peers.
MP-BGP (Multiprotocol BGP): An extension allowing BGP to carry routing information for multiple network layer protocols (Address Families) beyond just IPv4 unicast, such as IPv6 unicast, VPNv4 (for MPLS VPNs), etc. Enabled under BGP > Basic > Enable MP-BGP . Requires specific AFI/SAFI configuration in Peer Groups/Peers (or Profiles in ARE).
Route Dampening: A mechanism to penalize flapping (unstable) routes, suppressing them for a period to improve overall network stability. Configured globally under Network > Virtual Routers > [VR Name] > BGP > Dampening and applied via Import Rules. Use with caution as it can delay reconvergence.
Graceful Restart: Allows a BGP speaker undergoing a restart (e.g., software upgrade, process restart) to signal its peers to temporarily retain its routes, avoiding widespread routing instability during the restart. Configured under BGP > Basic > Graceful Restart . Peers must also support Graceful Restart Helper mode.

BGP Operational Aspects Explained

Beyond basic peering and path selection, several operational factors influence BGP behavior, stability, and functionality.

1. BGP Peer States

The BGP state machine defines the progression of a peering session. Understanding these states is crucial for troubleshooting connectivity issues.

Idle : Initial state. No BGP resources allocated, refusing connections. Enters Connect upon start event.
Connect : Actively trying to establish a TCP connection to the peer (acting as TCP client). If successful, sends OPEN and moves to OpenSent. If fails (e.g., connect timer expires), moves to Active.
Active : TCP connection attempt failed. Now listening for incoming connections from the peer (acting as TCP server) and periodically retrying to Connect. If connection established (incoming or outgoing), sends OPEN and moves to OpenSent.
OpenSent : TCP connection exists. An OPEN message has been sent, waiting for an OPEN message from the peer. Validation occurs upon receipt. If valid, sends KEEPALIVE and moves to OpenConfirm. If invalid, sends NOTIFICATION and returns to Idle.
OpenConfirm : Received and validated peer's OPEN message. Waiting for a KEEPALIVE message (or UPDATE/NOTIFICATION) to confirm the peer is also ready. If KEEPALIVE received, moves to Established. If Hold Timer expires or NOTIFICATION received, returns to Idle.
Established : Peering successful! Peers exchange UPDATE messages (routes), KEEPALIVE messages, and NOTIFICATION messages (errors). This is the desired operational state.

BGP State Machine (State Diagram)

Simplified BGP state machine showing transitions between peering states.

2. BGP Timers

Timers govern the health and maintenance of the BGP session.

Keep Alive Interval: Frequency (in seconds) at which KEEPALIVE messages are sent to the peer to indicate the session is still active. (Default: 30 seconds).
Hold Time: Maximum time (in seconds) a router will wait for a KEEPALIVE or UPDATE message from its peer before considering the peer down and tearing down the session. (Default: 90 seconds, typically 3x Keepalive).
Negotiation: Peers exchange their configured Hold Times in the OPEN message. The *lower* of the two proposed Hold Times is used for the session by both peers. The Keepalive interval is then typically set to one-third of the agreed-upon Hold Time.

Timer Interaction (Sequence Diagram)

Sequence showing Keepalive exchange and Hold Timer expiration leading to session failure.

3. High Availability (HA)

In a standard Active/Passive HA pair:

Only the Active firewall establishes and maintains BGP sessions and participates in routing.
Configuration (BGP settings, policies) is synchronized from the Active to the Passive firewall.
Upon failover, the now-Active (previously Passive) firewall takes over the necessary IP addresses and attempts to establish BGP sessions using the synchronized configuration.
BGP **Graceful Restart** (if enabled and supported by the peer) can significantly reduce routing disruption during failover by allowing peers to temporarily retain routes learned from the firewall while it restarts its BGP process on the newly active member.

HA Topology (Graph Diagram)

Active/Passive HA topology showing BGP session from the Active firewall.

4. MP-BGP (Multiprotocol BGP)

MP-BGP extends BGP to carry reachability information for diverse network layer protocols, known as Address Families.

Uses Address Family Identifiers (AFI) and Subsequent Address Family Identifiers (SAFI) to distinguish between different types of routing information (e.g., IPv4 Unicast, IPv6 Unicast, Layer 3 VPNs).
Allows a single BGP session to carry routes for multiple address families simultaneously.
Requires explicit enablement and configuration for each desired AFI/SAFI on the BGP session/peer group.

MP-BGP Concept (Graph Diagram)

MP-BGP allows carrying different types of routes (Address Families) over one BGP session.

5. Route Dampening

A mechanism to penalize and temporarily suppress routes that flap (repeatedly appear and disappear), improving overall network stability at the cost of potentially slower reconvergence for the dampened route.

When a route flaps, a penalty is added.
If the accumulated penalty exceeds a suppress limit , the route is dampened (suppressed) and not considered for best path selection or advertised.
The penalty decays exponentially over time.
If the penalty decays below a reuse limit , the route is unsuppressed and becomes eligible again.
Configured globally (per VR) and applied via Import Rules.

Route Dampening State Machine (State Diagram)

State transitions for a route subject to BGP dampening.

6. Graceful Restart (GR)

Allows a restarting BGP router to minimize routing disruption. The restarting router informs its peers, which act as "helpers".

**Negotiation:** Support is negotiated via Capabilities in the OPEN message.
**Restarting Router:** When restarting (e.g., process crash, upgrade), it signals peers.
**Helper Peer:** Marks routes from the restarting router as "stale" but continues forwarding traffic using them for a configured time (Restart Time). Does not immediately withdraw them.
**Re-establishment:** The restarting router re-establishes the BGP session quickly.
**Updates:** Once re-established, new routes are sent. The helper peer replaces stale routes with fresh ones. An End-of-RIB marker signals completion.

Graceful Restart Process (Sequence Diagram)

Sequence showing BGP Graceful Restart interaction during a router restart.

Verification (CLI Commands)

Useful CLI commands for troubleshooting and verification (execute in operational mode):

show routing protocol bgp summary : Displays a summary of all BGP peers, their state, uptime, and prefix counts. Quickest way to check peering status. (Use show routing protocol bgp peers for slightly more detail per peer).
show routing protocol bgp peer : Shows detailed information about a specific peer, including configured options, timers, state, and counters.
show routing protocol bgp rib-in peer : Shows routes received from a specific peer *before* import policies are applied. Essential for verifying what the neighbor is actually sending.
show routing protocol bgp rib-out peer : Shows routes advertised *to* a specific peer after export policies are applied. Essential for verifying your advertisements.
show routing route protocol bgp : Shows BGP routes that have been successfully selected as best paths and installed into the main IP routing table (RIB).
show routing fib protocol bgp : Shows BGP routes programmed into the hardware forwarding plane (Forwarding Information Base). Useful to confirm if the data plane matches the control plane.
show routing protocol bgp policy peer prefix : Simulates the effect of import or export policies on a specific prefix for a given peer, showing which rule matched and the outcome. Very useful for debugging policy rules.

Remember to use the correct Virtual Router context if multiple VRs exist: set system setting target-vsys before running VR-specific commands, or specify the VR in some commands (check command syntax).

Interactive BGP Quiz

Test your knowledge of Palo Alto BGP Concepts. Please answer all questions before submitting.

1. What is the default Administrative Distance (AD) for routes learned via eBGP on PAN-OS?

10 20 110 200

2. Which BGP attribute is primarily used within an Autonomous System (AS) to influence the outbound path selection (egress point)?

MED (Multi-Exit Discriminator) AS_PATH Length Local Preference Weight

3. To set the Local Preference attribute for routes received from an eBGP peer (like an ISP), where would you typically configure this policy on a Palo Alto firewall (legacy VR)?

Export Rules (Peer Group) Import Rules (Peer Group) Redistribution Profile Dampening Profile

4. You want to make one of your internet links (ISP-B) less preferred for INBOUND traffic compared to your primary link (ISP-A). Which BGP technique is commonly used for this?

Advertise higher Local Preference to ISP-B Advertise lower MED to ISP-B Use AS Path Prepending when advertising to ISP-B Set lower Weight on routes received from ISP-B

5. Which BGP attribute is evaluated FIRST in the best path selection algorithm (after next-hop reachability) but is NOT advertised to BGP peers?

Local Preference MED Weight Origin Code

6. To make routes learned from ISP-A the preferred outbound path for your entire AS over routes learned from ISP-B, you should configure an Import Rule that applies to routes from ISP-A to set a:

Lower Local Preference Higher Local Preference Lower MED Higher Weight

7. If you want to attach a BGP community value (e.g., 'no-export') to routes that you are advertising TO a specific eBGP peer, you would configure this "set community" action within which type of rule?

Import Rule Export Rule Redistribution Profile Policy Based Forwarding Rule

8. What is the final, desired BGP peer state indicating that the peering is fully operational and route updates can be exchanged?

Idle Connect Active OpenConfirm Established

9. Which two mechanisms are primarily used to overcome the iBGP full-mesh requirement for scalability?

MED and Local Preference Route Reflectors and Confederations Weight and AS_PATH Prepending Multihop and Authentication

10. What is the default BGP Hold Time on Palo Alto Networks firewalls?

30 seconds 60 seconds 90 seconds 180 seconds

11. The MED (Multi-Exit Discriminator) attribute is classified as which type of BGP attribute?

Well-known Mandatory Well-known Discretionary Optional Transitive Optional Non-transitive

12. You receive a route from your ISP tagged with `65001:666`. Your ISP documentation states this tag means the route should not be advertised outside your own AS. What BGP attribute is being used here?

Origin Code MED Community Aggregator

13. Which CLI command would you use to see the raw routes being sent *by* your BGP neighbor *before* any of your firewall's import policies have been applied?

show routing protocol bgp rib-in peer <peer> show routing protocol bgp rib-out peer <peer> show routing route protocol bgp show routing fib protocol bgp

14. All other attributes being equal (Weight, LP, Origin etc.), how does BGP choose between two eBGP paths to the same destination?

Prefers the path with the lower MED Prefers the path with the shorter AS_PATH length Prefers the path from the peer with the lower Router ID Prefers the older (more stable) path

15. You need to establish an iBGP peering between two routers within your AS using their loopback interfaces, which are several router hops apart. What BGP peer option is essential to configure?

Passive Mode Multihop (with appropriate TTL) Route Reflector Client Override Next Hop

16. You have five iBGP peers that all require the same import/export policies and timers. What is the most efficient way to configure this on the firewall?

Configure each peer individually with all settings. Create a BGP Peer Group with the common settings and add the peers to it. Use a Redistribution Profile applied to all peers. Apply a single complex Route Map to all peers.

17. True or False: The BGP Weight attribute is advertised to iBGP peers.

True False

18. The BGP Community attribute is classified as which type?

Well-known Mandatory Optional Transitive Optional Non-transitive Palo Alto Specific

19. If two BGP paths are completely identical through all major attributes (Weight, LP, AS_PATH, Origin, MED, EBGP/IBGP preference, IGP metric), what is typically the *next* tie-breaker used in the best path selection?

Prefer the oldest (most stable) eBGP path Prefer the path from the peer with the lowest Router ID Prefer the path from the peer with the lowest IP address Randomly select one path

20. To advertise routes learned via OSPF into your BGP process, you need to configure:

An Import Rule matching OSPF routes An Export Rule matching OSPF routes A Redistribution Profile enabling redistribution from OSPF A BGP `network` command for the OSPF networks