How to check BGP advertised or received prefixes in Palo Alto firewall

• To validate BGP advertised or received prefixed in Palo Alto firewall.
• This is helpful when troubleshooting BGP prefixes advertisement issues. 

• Next-Gen Firewalls
• Supported PAN-OS
• BGP

The information can be explained using the network diagram below.

       1. Login to PA firewall cli and run following command to verify number of advertised/received prefixes. 

show routing protocol bgp peer peer-name <value> virtual-router <value>

Example:

admin@PA-VM-50_1(active)> show routing protocol bgp peer peer-name pa-vm-100

  ==========
  Peer:                          pa-vm-100 (id 2)
  virtual router:                default
  Peer router id:                10.46.172.39
  Remote AS:                     6500
  Peer group:                    pa-vm-100-group (id 2)
  Peer status:                   Established, for 6 seconds
  Password set:                  no
  Passive:                       no
  Multi-hop TTL:                 1
  Remote Address:                10.46.172.39:36694
  Local Address:                 10.46.172.37:179
  (R) reflector client:          not-client
  same confederation:            no
  send aggr confed as-path:      yes
  peering type:                  Unspecified
  Connect-Retry interval:        15
  Open Delay:                    0
  Idle Hold:                     15
  Prefix limit:                  5000
  Holdtime:                      90 (config 90)
  Keep-Alive interval:           30 (config 30)
  Update messages:               in        4, out        4
  Total messages:                in       23, out       29
  Last update age:               6
  Last error:
  Flap counts:                   4, established 2 times
  (R) ORF entries:               0
  Nexthop set to self:           no
  use 3rd party as next-hop:     yes
  override nexthop to peer:      no
  ----------
  remove private AS number:      yes
  ----------
  Capability:                    Multiprotocol Extensions(1)  value: IPv4 Unicast
  Capability:                    Route Refresh(yes)
  Capability:                    Graceful Restart(64)  value: 007800010100
  Capability:                    Route Refresh (Cisco)(yes)
  ----------
  Prefix counter for:            bgpAfiIpv4 / unicast
  Incoming Prefix:               Accepted 2, Rejected 0, Policy Rej 0, Total 2
  Outgoing Prefix:               2
  Advertised Prefix:             2

      2. Then run following command to see the received prefixes. 

show routing protocol bgp loc-rib peer <value> 

Example:

admin@PA-VM-50_1(active)> show routing protocol bgp loc-rib peer pa-vm-100

VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Weight   LocPrf Org      MED flap AS-Path
 *10.10.100.0/24     10.46.172.39     pa-vm-100       0      100 i/c        0    0 6500
 *10.46.172.0/22     10.46.172.39     pa-vm-100       0      100 i/c        0    0 6500

total routes shown: 2

From GUI: Network > Virtual Routers > (Select the VR) > More Runtime Stats

   3. And then run following command to see what is advertised to peer. 

show routing protocol bgp rib-out peer <value> 

Example: 

admin@PA-VM-50_1(active)> show routing protocol bgp rib-out peer pa-vm-100

VIRTUAL ROUTER: default (id 1)
  ==========
  Prefix             Nexthop          Peer       Originator       Adv Status  Aggr Status     AS-Path
 10.10.10.1/32       10.46.172.37     pa-vm-100  0.0.0.0          advertised  no aggregation  6600
 192.168.100.0/24    10.46.172.37     pa-vm-100  0.0.0.0          advertised  no aggregation  6600

total routes shown: 2

From GUI: Network > Virtual Routers > (Select the VR) > More Runtime Stats