Prisma Access - eBGP keep-alive timer is different than the configured value

• EBGP Keepalive timer display different value than the configured value.

• On the Firewall, BGP keep-alive and hold-time timers are configured as 30/90
• On the BGP peer, the keep-alive and hold-time timers are configured as 4/20
• The negotiated keep-alive and hold-time timers are 6/20

  Peer:                          GPCS-EBGP-Site-366365 (id 23)
  Peer router id:                10.252.193.5
  Remote AS:                     64611
  Peer status:                   Established, for 108378 seconds
  Remote Address:                169.254.1.198:179
  Local Address:                 169.254.1.199:43248
  Holdtime:                      20 (config 90) 
  Keep-Alive interval:           6 (config 30) 

• Prisma Access or NGFW Firewalls
• BGP

• As per the RFC, the hold-time timer will be negotiated to the lower value between the configured timers on the Peers.
• Because the keep-alive timer is not exchanged during the BGP peering negotiation, PaloAlto firewall calculates  the keep-alive timer to the 1/3 of the negotiated hold-time, which is also in compliance to the RFC.
• In the above example, the hold-time is negotiated as 20, because it is the lower value. The configured keep-alive timer (30 sec) is higher than 1/3 of 20 sec (6 sec), so the keep-alive timer is put as 6 sec.

1. Configure a lower value on the PaloAlto firewall for keep-alive timer.
2. This way the lower keep-alive timer will be used by the firewall.

• Aggressive setting of Keepalive/Hold timer can cause the BGP flaps during network congestion/High CPU.
• The default setting of Keepalive/Hold timer on PA Firewalls is set at 30 sec and 90 sec.