BGP Route Redistribution and Attributes in Palo Alto Networks Firewalls

Overview

Border Gateway Protocol (BGP) is a dynamic routing protocol used to exchange routing information between autonomous systems (AS). In Palo Alto Networks firewalls, BGP route redistribution allows the integration of routes from different sources (e.g., static, connected, OSPF, RIP) into BGP, enabling a unified routing strategy across diverse network segments.

Configuring BGP Route Redistribution

1. Create a Redistribution Profile:
   • Navigate to Network > Virtual Routers and select your virtual router.
   • Go to Redistribution Profile and click Add .
   • Enter a Name and set the Priority (lower values have higher priority).
   • Choose Redist to specify routes to redistribute or No Redist to exclude certain routes.
   • Under General Filter , select the source types (e.g., static, connected, OSPF, RIP).
   • Optionally, specify interfaces, destinations, or next hops to match specific routes.
   • Click OK to save the profile.
2. Apply the Redistribution Profile to BGP:
   • Within the same virtual router, navigate to BGP > Redist Rules .
   • Click Add and select the redistribution profile you created.
   • Configure additional attributes as needed (e.g., metric, origin, MED, local preference).
   • Enable the redistribution rule.

For detailed steps, refer to the official documentation: Configure Route Redistribution .

BGP Attributes Influencing Routing Decisions

BGP uses several attributes to determine the best path when multiple routes to the same destination exist. Understanding and manipulating these attributes can influence routing decisions to align with network policies.

• Local Preference: Indicates the preferred path for outbound traffic within an AS. Higher values are preferred.
• AS Path: Lists the ASes that a route has traversed. Shorter paths are preferred.
• Origin: Specifies the origin of the route (IGP, EGP, or Incomplete). Preference order: IGP > EGP > Incomplete.
• MED (Multi-Exit Discriminator): Suggests the preferred path into an AS for inbound traffic. Lower values are preferred.
• Community: Tags routes for applying routing policies. Communities can be used to group routes and apply policies collectively.

These attributes can be set or modified using route maps within redistribution profiles.

Examples

Example 1: Setting Local Preference

To prefer a specific route for outbound traffic:

set local-preference 200

This sets the local preference to 200 for the matched routes, making them more preferred over routes with lower local preference values.

Example 2: Modifying MED

To influence inbound traffic from a neighboring AS:

set med 50

This sets the MED to 50 for the matched routes, suggesting to external peers that this path is more preferred for inbound traffic.

Example 3: Tagging Routes with a Community

To tag routes for policy application:

set community 65000:100

This assigns the community value 65000:100 to the matched routes, which can then be used in routing policies to control route advertisement or acceptance.

Best Practices

• Use route maps to control which routes are redistributed and to set appropriate attributes.
• Monitor the routing table to ensure that redistribution behaves as expected.
• Document redistribution policies and attribute settings for maintenance and troubleshooting.
• Regularly review and update redistribution profiles to align with network changes.

Monitoring and Troubleshooting BGP Route Redistribution

Effective monitoring and troubleshooting are essential to ensure that BGP route redistribution functions as intended. Palo Alto Networks firewalls offer various tools and commands to assist in this process.

• Monitor BGP Peers: Navigate to Network > Virtual Routers > [Your Virtual Router] > BGP > Peer Group to view the status of BGP peers.
• View Routing Information: Use the CLI command show routing route to display the routing table and verify redistributed routes.
• Check BGP RIB: Use show routing protocol bgp rib-out to view the routes being advertised to peers.
• Examine Redistribution Rules: Review the redistribution profiles and rules under Network > Virtual Routers > [Your Virtual Router] > Redistribution Profile to ensure correct configuration.
• System Logs: Check Monitor > Logs > System for any BGP-related events or errors.

Regularly monitoring these areas helps in early detection of issues and ensures that the routing policies are enforced as intended.

Monitoring and Troubleshooting BGP Route Redistribution

Effective monitoring and troubleshooting are essential to ensure that BGP route redistribution functions as intended. Palo Alto Networks firewalls offer various tools and commands to assist in this process.

CLI Commands

• View BGP Summary: show routing protocol bgp summary virtual-router <virtual-router-name>
• Display BGP Peer Information: show routing protocol bgp peer peer-name <peer-name> virtual-router <virtual-router-name>
• Examine Local RIB: show routing protocol bgp loc-rib
• Check Routing Table: show routing route
• Inspect BGP Advertised Routes: show routing protocol bgp rib-out

These commands provide insights into the BGP sessions, advertised and received routes, and the overall routing table, aiding in pinpointing issues related to route redistribution.

GUI Tools

• Monitor BGP Peers: Navigate to Network > Virtual Routers > [Your Virtual Router] > BGP > Peer Group to view the status of BGP peers.
• View Routing Information: Use the Routing tab under Device > Troubleshooting to analyze the routing table and verify redistributed routes.
• Check BGP RIB: Access the BGP tab under Network > Virtual Routers > More Runtime Stats to view the routes being advertised to peers.

The web interface provides a graphical representation of BGP sessions, routing tables, and redistribution profiles, facilitating easier analysis and troubleshooting.

References

• Route Redistribution - Palo Alto Networks
• Configure Route Redistribution - Palo Alto Networks
• BGP - Palo Alto Networks
• CLI Cheat Sheet: Networking - Palo Alto Networks
• Device > Troubleshooting - Palo Alto Networks