📘 PCNSE BGP Highlights

1. Autonomous System (AS) Configuration

Local AS Number: Assign a unique AS number to the firewall's logical router. Valid range: 1 to 4,294,967,295.
Peer AS Number: Specify the AS number of each BGP peer. This is crucial for establishing correct BGP sessions.
Enforce First AS: Enable this setting to ensure that incoming BGP updates from eBGP peers list their own AS as the first in the AS_PATH attribute. This helps prevent route hijacking. Source

Import Rules: Define rules to import routes from BGP peers into the firewall's routing table. Use match criteria to filter specific routes.
Export Rules: Configure rules to advertise routes from the firewall to BGP peers. You can set attributes like MED and next-hop values during export. [Source]
Redistribution Profiles: Use these profiles to control how routes from other protocols (e.g., OSPF, static) are redistributed into BGP.

Multi-Exit Discriminator (MED): An external metric indicating the preferred path into an AS. Lower MED values are preferred.
Local Preference: An internal metric to prefer one path over another within the same AS. Higher values are preferred.
AS Path Length: BGP prefers paths with the shortest AS_PATH attribute.
Route Selection Order: BGP selects routes based on the following order: Highest Weight (Cisco-specific), Highest Local Preference, Shortest AS_PATH, Lowest Origin Type, Lowest MED, eBGP over iBGP, Lowest IGP metric to BGP next hop, Oldest route, Lowest BGP router ID.

Purpose: In large iBGP networks, route reflectors reduce the number of required peer connections by allowing selected routers to redistribute routes to other iBGP peers.
Configuration: In Palo Alto Networks firewalls, configure a BGP peer as a route reflector client under the BGP Peer Group settings. [Source]

eBGP: 20
iBGP: 200
OSPF: 110
RIP: 120
Static Routes: 10
Connected Routes: 0
Lower administrative distance values are preferred when multiple routes to the same destination exist.

BFD Authentication: Palo Alto Networks' implementation of BFD does not support authentication. To secure BFD sessions, consider running BFD over VPN tunnels, which can provide authentication mechanisms. [Source]
Graceful Restart: If implementing both BFD for BGP and HA path monitoring, it's recommended not to enable BGP Graceful Restart. BFD can remove affected routes before Graceful Restart takes effect. If all are implemented, configure BFD with larger Desired Minimum Tx Interval and Detection Time Multiplier values.
Route Filtering: Use import and export filters to control which routes are accepted from or advertised to BGP peers. This helps in maintaining routing policies and avoiding route leaks.
Max Prefixes: Set a maximum number of prefixes that can be received from a BGP peer to prevent overloading the routing table.

View BGP Peer Status: show routing protocol bgp peer
View BGP Routes: show routing protocol bgp rib
View BGP Summary: show routing protocol bgp summary
Enable BGP Packet Capture: debug routing pcap bgp on
View System Logs for BGP: Navigate to Monitor > Logs > System in the GUI and filter for BGP-related messages.
Runtime Statistics: In the GUI, go to Network > Virtual Routers , select the virtual router, and click on More Runtime Stats to view BGP runtime statistics.
Monitor BGP Logs: Use the CLI command tail follow yes mp-log routed.log to monitor BGP-related logs in real-time.
Check Routing Table: show routing route to display the current routing table and verify if BGP routes are present.
Verify BGP Configuration: show config running | match bgp to check the current BGP configuration.
Test BGP Connectivity: Use ping and telnet commands to test connectivity to BGP peers on TCP port 179.