How to Configure eBGP with AS Path Prepend for Specific Prefixes

• This document describes how to configure eBGP with AS path prepend attribute for specific prefixes in a Palo Alto Networks Firewall.
• The manipulation of the AS path attribute makes the  Firewall to advertise the prefix at hand with an extended AS path list.
• This configuration is commonly used to make a route less preferable for the BGP peer.

• Palo Alto Firewalls
• Supported PAN-OS
• BGP

Network Diagram

In this example, the Palo Alto Networks Firewall advertises two prefixes to the BGP peer: 192.168.13.0/24 and 192.168.14.0/24. Manipulation for the AS path attribute is applied to 192.168.14.0/24 prefix only, so this route will be less preferable for the BGP peer.

Configurations

STEP 1. Open the Firewall web interface and navigate to Network > Virtual Routers. Either edit or add the virtual Router instance where BGP will be configured.
 

STEP 2. In the Virtual Router window navigate to the BGP tab and tick the Enable checkbox. Define the IP address to be used as Router ID and the AS Number for Firewall. Tick the Install Route option so the Firewall can install BGP routes in its global routing table.

STEP 3. Navigate to the Peer Group tab and select Add. In the Virtual Router - BGP - Peer Group/Peer window define a name and select EBGP in the Type drop down menu.

Select Add to add information for the BGP peer. In the Virtual Router - BGP - Peer Group - Peer window define the Name for the peer and specify the Peer AS number. Select the local Interface and IP address to be used by Firewall A in the BGP neighbor relationship and define the peer IP.

STEP 4. Navigate to Redis Rules tab and select Add. In the Virtual Router - BGP - Redistribute Rules - Rule either create or select the redistribution profile. In this example, Connected profile is used to advertise 192.168.13.0/24 and 192.168.13.14.0/24.

STEP 5. In order to modify the AS path attribute navigate to the Export tab and select Add. Define a name for the export rule and select Add to specify the BGP peer group configured in STEP 3. 

Navigate to the Match tab and define the AS Path Regular Expression used to filter the AS paths, in this case ^$ is used to match all the routes originated by AS at hand. Select Add in the Address Prefix section to specify for which subnet the AS path attribute must be manipulated, in this case the AS path prepend must be applied only for 192.168.14.0/24 subnet.

Navigate to the Action tab, specify Allow in the Action drop down menu. Specify Prepend in the Type drop down under the AS Path section and define the number of times the attribute should be prepend. Select OK.

By default, an implicit deny rule will be triggered once the export rule above has been configured. Having said that, a second export rule is needed to export the rest of the prefixes defined in the redistribution profile configured in STEP 4.  Navigate to the Export tab and select Add, define a name for the export rule and select Add to specify the BGP peer group configured in STEP 3. 

For the Match tab keep the ^$ for the AS Path Regular Expression  and do not specify any prefixes, so the rule will apply to all the prefixes in redistribution profile. 

For the Action tab, specify Allow in the Action drop down menu. Select OK, so a second rule can be added to the export rules. Commit the changes to the Firewall.

Verify

After the push has been completed, navigate to Network > Virtual Routers and select More Runtime Stats. In the Virtual Router window navigate to BGP > Peer, the BGP peer must be Established.

In order to confirm the AS path prepend has been applied, navigate to the RIB Out tab. An extended AS path list should appear for the intended network only.

owner: dperezvertti

Using Regex to Prepend AS Numbers to the BGP AS_PATH Attribute