Created On 08/05/19 19:56 PM - Last Updated 08/05/19 20:11 PM
Zone and DoS Protection
The Palo Alto Networks firewall does not advertise an aggregated route to its peer when it receives a prefix falling within the aggregated route range from the same peer.
The Palo Alto Networks firewall has routes for 10.0.2.0/24, 10.0.3.0/24 and 10.0.4.0/24 in its local-rib. It has been configured with an export policy to aggregate the routes into 10.0.0.0/16 and advertise this /16 route to its peer, as shown below.
The peer has a route for 10.0.1.0/24, in its local rib, that it wants to advertise to the Palo Alto Networks firewall. The peer does not learn the aggregated 10.0.0.0/16, but learns the more specific routes 10.0.2.0/24, 10.0.3.0/24 and 10.0.4.0/24 from the firewall.
If the Palo Alto Networks firewall learns a prefix from a peer that is part of the aggregated route that is advertised to the same peer, the firewall advertises the more specific routes under the aggregated route to the peer.