Palo Alto – BGP inbound route filtering

A recent post on the LIVECommunity asked how to filter host prefixes, ie those with a netmask of /32 , from being placed in the routing table of a Palo Alto firewall. On a Cisco router this would be achieved with a prefix-list specifying netmask length and a route-map applied inbound from a BGP peer. PAN-OS doesn’t have the same constructs available. It does have BGP import polices where prefixes can be specified but it is not possible to use variable netmask lengths.

The solutions to this problem is to have your BGP peer use BGP community strings with the advertised prefixes and import polices on the Palo Alto firewall.

Palo Alto and IOS router topology
Palo Alto and IOS router topology

Our IOS BGP config looks like this:

!
router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.100.1 remote-as 65001
 !
 address-family ipv4
  network 100.0.0.1 mask 255.255.255.255
  network 192.168.101.0 mask 255.255.255.252
  neighbor 192.168.100.1 activate
  neighbor 192.168.100.1 send-community
  neighbor 192.168.100.1 route-map PA01 out
 exit-address-family
!
ip forward-protocol nd
!
ip bgp-community new-format
!
ip prefix-list FOO-OUT seq 10 permit 0.0.0.0/0 ge 32
!
route-map PA01 permit 10
 match ip address prefix-list FOO-OUT
 set community 65000:999
!
route-map PA01 permit 20
 set community 65000:1
!

Here we use a prefix-list to match any IP address with a netmask of /32, this prefix-list used by the route-map PA01 set a community string of ‘65000:999’ to all matching prefixes. All other prefixes which do not match are given a community string of ‘65000:1’. This route-map is applied outbound to our Palo Alto peer.

Sure enough on the Palo Alto we can we our two prefixes being received and placed in the local-RIB each with a different community string:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        100.0.0.1/32 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:999 
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1 

Next we need to configured a BGP Import policy to drop all prefixes with a community string of ‘65000:999’ all others should be accepted. This require two distinct Import polices:

set network virtual-router WAN protocol bgp policy import rules drop_65000_999 action deny 
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match community regex 65000.999
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 match route-table unicast
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 used-by ISP
set network virtual-router WAN protocol bgp policy import rules drop_65000_999 enable yes
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update as-path none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update community none 
set network virtual-router WAN protocol bgp policy import rules everything_else action allow update extended-community none 
set network virtual-router WAN protocol bgp policy import rules everything_else match route-table unicast
set network virtual-router WAN protocol bgp policy import rules everything_else used-by ISP
set network virtual-router WAN protocol bgp policy import rules everything_else enable yes

Once the configuration has been committed, check the BGP local-RIB to confirm that the host prefix is no longer present:

admin@PA-VM> show routing protocol bgp loc-rib-detail

  
VIRTUAL ROUTER: WAN (id 2)
  ==========
  ----------
  Prefix:                        192.168.101.0/30 *
  Nexthop:                       192.168.100.2
  Received from:                 Peer ISP01 (id 1)
  Originator ID:                 0.0.0.0
  AS Path:                       65000
  Origin:                        IGP
  MED:                           0
  Local Preference:              100
  Atomic aggregate:              no
  Aggregator AS:                 0
  Aggregator ID:                 0.0.0.0
  Weight:                        0
  Flap:                          value 0.00, count 0
  Community:                     65000:1 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: