Palo Alto firewall BGP Configuration Example


simple and basic process to configure BGP protocol on Palo Alto VM 8.0 firewall.

Configuring BGP routing protocol on Palo Alto firewall is performed step-by-step. I have designed a network to with two Palo Alto firewalls, each acting as edge device. Between two firewalls there is a WAN network that routes all the BGP traffic from site-to-site. WAN network is already been setup with BGP protocol using Cisco routers. I will show you BGP configuration of two routers connecting to firewalls. OSPF is configured to run BGP on top it.

CiscoIOSv-3 router BGP confguration:

CiscoIOSv-3 router BGP Routing table Info:

CiscoIOSv-7 router BGP confguration:

CiscoIOSv-7 router BGP Routing table Info:

Step-1: Select Virtual Router on Left navigation panel.

Step-2: Select Default Router from the list, but you can choose any virtual router you want based on your configuration on firewall.

Step-3: Select General Tab.

Fill Router ID and AS number fields, uncheck Reject Default Route(this will allow to accept default routes in to bgp table) and tick Enable radio button.

Step-4: Select Peer Group Tab.

  • Select Peer Group Tab and click Add to create or add new BGP peer group.
  • Enter the Peer Group name and click Add button on bottom to add a peer to group. You can multiple peers to a single group or you can create single group for each peer. Peer group will help with assigning security policies.
  • Enter Name of the Peer, Peer AS number. Under Addressing tab select Which interface BGP peer is connecting to and IP address of interface. Under Peer Address Type Peer IP without subnet mask. then Click OK.
  • Now there should be a list of configured Peer’s on Peer group, Verify everything is correct and click OK.
  • Under Peer Group tab in BGP section, there will the Peer group info. Verify it correctly.

Step-5: Select Redist Rules Tab.

  • make sure “Allow Redistribute Default Route” radio button is enabled if you want to redistribute default routes into BGP. And select Add button.
  • In Redistribute Rules Tab, Select type of IP v4/6 and select Name from dropdown field and click OK. Dropdown will have list of Redistribution profiles Created under Redistribution profiles section.
  • After adding the redistribution profile, details are displayed. Verify!
  • Verify all the configuration details again General, Peer group and click OK.

FYI: For reference on Redistribution profile 123.

Step-6: Commit configuration.

Step-7: Validation

  • Select Network tab, Select Virtual Router and there should appear BGP routing details.
  • Click “More Run time states” and select BGP in opup window and it should provide all details about BGP, summary looks like below.
  • Select “Peer” and details of established peer will be provided.
  • Select “Local RIB” RIB(routing information base) and it should give the complete list of routes learned from BGP and can be routed.

Above is the basic configuration to enable BGP Up and running. Simulation is created on GNS3, All appliances are Virtual Machines, But this example configuration is also applicable on any PA hardware machine that has layer 3 routing capability. There are lot more configurations can be done to enhance and route the traffic based on your network design requirements. Validation step will help more in troubleshooting BGP. All the NextGen PA firewalls support BGP.

Thank You!