Advanced Routing Engine - BGP: Firewall sending Network Layer Reachability Information beyond the capacity of its peer

• Unexpected BGP route reconvergence or frequent BGP route flapping.
• BGP routes announced by the NGFW are not appearing in the peer's BGP Local RIB, despite no export filter restricting the routes.
• In the ns*_frr_export.log, the NGFW generates the following log entry:

BGP: [HZN6M-XRM1G] %NOTIFICATION(Hard Reset): received from neighbor VM100-1 6/1 (Cease/Maximum Number of Prefixes Reached) 7 bytes 06 01 00 01 01 00 00
BGP: [PXVXG-TFNNT] %ADJCHANGE: neighbor neighbor VM100-1(192.168.1.1) in vrf default Down BGP Notification received

• Palo Alto Next Gen firewalls (NGFW)
• Supported PAN-OS
• BGP

• By default, each peer shares its entire routing table with the other.
• The issue occurs when the NGFW sends Network Layer Reachability Information (NLRI) exceeding the peer's capacity.
• Note that the maximum number of BGP routes a remote peer can receive is not communicated to its BGP neighbor in any messages.

1. Aggregate and Advertise Routes via BGP: Use the Advanced Routing Engine - BGP: How to configure route summarization guide to summarize the routes from the NGFW.
2. Configure BGP Export Filter on the NGFW: Follow the Advanced Routing Engine - BGP: How to configure outbound route filtering using Route-map with Prefix-list guide to set up an export filter on the NGFW.
3. Configure BGP Import Filter on the Remote Peer: Set up a BGP import filter on the remote peer to control inbound routes.