How to filter BGP routes imported into the firewall routing table?
59263
Created On 10/01/19 03:23 AM - Last Modified 10/02/19 23:00 PM
Objective
- Limit the BGP routes that are advertised from upstream peer to be installed in the local routing table.
- Note: This will also prevent the routes being advertised to downstream peers.
In the example below, Route table of local router is displayed. The local Firewall is receiving 180.10.x.x and 190.10.x.x routes from the neighbor. The filter configured will filter all routes for prefix 180.10.x.x/16 from being installed in the routing table while allowing the rest of routes to be installed.
Environment
- PAN-OS 7.1, 8.0, 8.1 and 9.0.
- Any Palo Alto Firewall.
- BGP configured.
Procedure
- From the WebGUI, select Network > Virtual Routers > Default => Change the Default VR to match the configured VR.
- Select BGP > Import and click Add to create import rule.
- In the General Tab, type in a name. Click Add and select the neighbor from which these routes are received. Make sure Enable is checked.
- Click on Match and Add the prefix which need to be denied in the Address Prefix column. In this example 180.10.0.0/16 to deny all 180.10.x.x routes.
- Click on the Action Column and select Deny under Action and click OK.
The above filter will deny all routes of 180.10.x.x network. Create a second filter to permit the rest of the routes.
- Still in the Network > Virtual Routers > Default >BGP > Import, click Add to create second import rule.
- Give a name and click Add and select the neighbor from which these routes are received. Make sure Enable is checked.
- Click on Match and Add the neighbor under From Peer column. Note that this is the same neighbor from which other routes need to be permitted.
- Click on the Action Column and select Allow under Action and click OK.
- Click OK again and Commit the configuration changes.
Additional Information
To verify, Click on Network > Virtual Routers > Default > More Runtime Stats > Route Table, none of the routes of 180.10.x.x will be seen. Non 180.10.x.x routes are still seen.
Similarly the CLI also displays non 180.10.x.x routes. Other routes such as 190.10.x.x are still being permitted.
admin123@Lab33-81-PA-3050> show routing route type bgp | match 180.
admin123@Lab33-81-PA-3050>
admin123@Lab33-81-PA-3050> show routing route type bgp | match 190.
190.10.10.0/24 10.10.20.2 A B 169 ethernet1/3 10000
190.10.20.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.30.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.40.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.50.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.60.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.70.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.80.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.90.0/24 10.10.20.2 A B 10 ethernet1/3 10000
190.10.100.0/24 10.10.20.2 A B 10 ethernet1/3 10000
Note: There are other ways of implementing the same. Example: If the number of routes to be denied are more than the permitted ones, using just one import filter with permit routes will deny all the other routes.