How to configure BGP peering between a 4-byte ASN device with a 2-byte ASN device

• Palo Alto Firewall
• PAN-OS 9.1
• BGP configured

1. Configure BGP on FW1 from Network > Virtual Router > [VR-name] > BGP

2. Configure FW1's BGP peering info from Network > Virtual Router > [VR-name] > BGP > Peer Group > Add.
   1. Take note of the snapshot below that since 2-byte ASN doesn't understand 4-byte ASN, use AS_TRANS 23456, which will serve as FW3 ASN from FW1's perspective. AS per RFC 4893. The AS number 23456 has been assigned by the IANA for AS_TRANS

3. Configure FW3's basic BGP setup. By default ASN format is set to 2-byte, you will need to switch to 4-byte in FW3's config from Network > Virtual Router > [VR-name] > BGP

4. Configure FW3's BGP peering info from Network > Virtual Router > [VR-name] > BGP > Peer Group > Add

5. The above four steps are the essential procedure in this guide. This step and the subsequent ones will be more of an optional part to show the route sharing. Since the idea of configuration is identical to both Firewalls, the guide will show one from FW1, and you can configure FW3 just like below. Network > Virtual Router > [VR-name] > Redistribution Profile > Add

6. (Optional) Attached the created Redistribution Profile from step 5 to BGP. Network > Virtual Router > [VR-name] > BGP > Redist Rules > Add

Verification:

1. FW1's BGP peering results:

2. FW1's learned routes from FW3, note that the AS_PATH announced by FW3 is not 4294967294, but instead is ASN 23456

3. FW3's ASN peering result:

4. FW3's learned routes from FW1

• The key is to configure AS 23456 as the peer AS on the Firewall with 2-byte ASN format.
• The router with 4 byte ASN understands this and will form a peer relationship.
• On The firewall with 4-byte ASN, peer relationship is formed with the regular AS number (65530 in this case)