Networking

Palo Alto Networks

PAN-OS® Administrator’s Guide

Version 6.0

Copyright © 2007-2015 Palo Alto Networks

Contact Information

Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-us

About this Guide

This guide provides the concepts and solutions to help you get the most out of your Palo Alto Networks
next-generation firewalls. For additional information, refer to the following resources:

 For start-to-finish instruction on how to set up a new firewall, refer to the Palo Alto Networks Getting Started
Guide.

 For information on the additional capabilities and for instructions on configuring the features on the firewall, refer
to https://www.paloaltonetworks.com/documentation.

 For access to the knowledge base, discussion forums, and videos, refer to https://live.paloaltonetworks.com.

 For contacting support, for information on the support programs, or to manage your account or devices, refer to
https://support.paloaltonetworks.com.

 For the latest release notes, go to the software downloads page at

https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
To provide feedback on the documentation, please write to us at: [email protected].

Palo Alto Networks, Inc.

www.paloaltonetworks.com
© 2007–2015 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at http://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.

Revision Date: August 21, 2015

2 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

 Networking
All Palo Alto Networks next-generation firewalls provide a flexible networking architecture that includes
support for dynamic routing, switching, and VPN connectivity, enabling you to deploy the firewall into nearly
any networking environment. When configuring the Ethernet ports on your firewall, you can choose from
virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of
network segments, you can configure different types of interfaces on different ports. The following sections
provide basic information on each type of deployment. For more detailed deployment information, refer to
Designing Networks with Palo Alto Networks Firewalls and for information on route distribution, refer to
Understanding Route Redistribution and Filtering.
The following topics describe how to integrate Palo Alto Networks next-generation firewalls into your network.
 Interface Deployments
 Configure a Virtual Router
 Configure Static Routes
 Configure RIP
 Configure OSPF
 Configure BGP

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 491

Copyright © 2007-2015 Palo Alto Networks

Interface Deployments Networking

Interface Deployments
 Virtual Wire Deployments
 Layer 2 Deployments
 Layer 3 Deployments
 Tap Mode Deployments

Virtual Wire Deployments

In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports
together and should be used only when no switching or routing is needed.
A virtual wire deployment allows the following conveniences:
 Simplifies installation and configuration.

 Does not require any configuration changes to surrounding or adjacent network devices.
The “default-vwire” that is shipped as the factory default configuration, binds together Ethernet ports 1 and 2
and allows all untagged traffic. You can, however, use a virtual wire to connect any two ports and configure it
to block or allow traffic based on the virtual LAN (VLAN) tags; the VLAN tag “0” indicates untagged traffic.
You can also create multiple subinterfaces, add them into different zones and then classify traffic according to
a VLAN tag, or a combination of a VLAN tag with IP classifiers (address, range, or subnet) to apply granular
policy control for specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.

Figure: Virtual Wire Deployment

Virtual Wire Subinterfaces

Virtual wire subinterfaces provide flexibility in enforcing distinct policies when you need to manage traffic from
multiple customer networks. It allows you to separate and classify traffic into different zones (the zones can
belong to separate virtual systems, if required) using the following criteria:

 VLAN tags —The example in Figure: Virtual Wire Deployment with Subinterfaces (VLAN Tags only),
shows an Internet Service Provider (ISP) using virtual wire subinterfaces with VLAN tags to separate traffic
for two different customers.

492 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Interface Deployments

 VLAN tags in conjunction with IP classifiers (address, range, or subnet)— The following example
shows an Internet Service Provider (ISP) with two separate virtual systems on a firewall that manages traffic
from two different customers. On each virtual system, the example illustrates how virtual wire subinterfaces
with VLAN tags and IP classifiers are used to classify traffic into separate zones and apply relevant policy
for customers from each network.

Virtual Wire Subinterface Workflow

Step 1 Configure two Ethernet interfaces as type virtual wire, and assign these interfaces to a virtual wire.

Step 2 Create subinterfaces on the parent Virtual Wire to separate CustomerA and CustomerB traffic. Make sure that
the VLAN tags defined on each pair of subinterfaces that are configured as virtual wire(s) are identical. This is
essential because a virtual wire does not switch VLAN tags.

Step 3 Create new subinterfaces and define IP classifiers. This task is optional and only required if you wish to add
additional subinterfaces with IP classifiers for further managing traffic from a customer based on the
combination of VLAN tags and a specific source IP address, range or subnet.
You can also use IP classifiers for managing untagged traffic. To do so, you must create a sub-interface with the
vlan tag “0”, and define sub-interface(s) with IP classifiers for managing untagged traffic using IP classifiers

IP classification may only be used on the subinterfaces associated with one side of the virtual
wire. The subinterfaces defined on the corresponding side of the virtual wire must use the same
VLAN tag, but must not include an IP classifier.

Figure: Virtual Wire Deployment with Subinterfaces (VLAN Tags only)

Figure: Virtual Wire Deployment with Subinterfaces (VLAN Tags only) depicts CustomerA and CustomerB
connected to the firewall through one physical interface, ethernet1/1, configured as a Virtual Wire; it is the
ingress interface. A second physical interface, ethernet1/2, is also part of the Virtual Wire; it is the egress
interface that provides access to the Internet. For CustomerA, you also have subinterfaces ethernet1/1.1
(ingress) and ethernet1/2.1 (egress). For CustomerB, you have the subinterface ethernet1/1.2 (ingress) and
ethernet1/2.2 (egress). When configuring the subinterfaces, you must assign the appropriate VLAN tag and
zone in order to apply policies for each customer. In this example, the policies for CustomerA are created
between Zone1 and Zone2, and policies for CustomerB are created between Zone3 and Zone4.
When traffic enters the firewall from CustomerA or CustomerB, the VLAN tag on the incoming packet is first
matched against the VLAN tag defined on the ingress subinterfaces. In this example, a single subinterface
matches the VLAN tag on the incoming packet, hence that subinterface is selected. The policies defined for the
zone are evaluated and applied before the packet exits from the corresponding subinterface.

The same VLAN tag must not be defined on the parent virtual wire interface and the subinterface.
Verify that the VLAN tags defined on the Tag Allowed list of the parent virtual wire interface
(Network > Virtual Wires) are not included on a subinterface.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 493

Copyright © 2007-2015 Palo Alto Networks

Interface Deployments Networking

Figure: Virtual Wire Deployment with Subinterfaces (VLAN Tags and IP Classifiers) depicts CustomerA and
CustomerB connected to one physical firewall that has two virtual systems (vsys), in addition to the default
virtual system (vsys1). Each virtual system is an independent virtual firewall that is managed separately for each
customer. Each vsys has attached interfaces/subinterfaces and security zones that are managed independently.

Figure: Virtual Wire Deployment with Subinterfaces (VLAN Tags and IP Classifiers)

Vsys1 is set up to use the physical interfaces ethernet1/1 and ethernet1/2 as a virtual wire; ethernet1/1 is the
ingress interface and ethernet1/2 is the egress interface that provides access to the Internet. This virtual wire is
configured to accept all tagged and untagged traffic with the exception of VLAN tags 100 and 200 that are
assigned to the subinterfaces.
CustomerA is managed on vsys2 and CustomerB is managed on vsys3. On vsys2 and vsys3, the following vwire
subinterfaces are created with the appropriate VLAN tags and zones to enforce policy measures.

Customer Vsys Vwire Zone VLAN Tag IP Classifier

Subinterfaces

A 2 e1/1.1 (ingress) Zone3 100 None

e1/2.1 (egress) Zone4 100

2 e1/1.2 (ingress) Zone5 100 IP subnet

e1/2.2 (egress) Zone6 100 192.1.0.0/16

2 e1/1.3 (ingress) Zone7 100 IP subnet

e1/2.3 (egress) Zone8 100 192.2.0.0/16
B 3 e1/1.4 (ingress) Zone9 200 None
e1/2.4 (egress) Zone10 200

494 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Interface Deployments

When traffic enters the firewall from CustomerA or CustomerB, the VLAN tag on the incoming packet is first
matched against the VLAN tag defined on the ingress subinterfaces. In this case, for CustomerA, there are
multiple subinterfaces that use the same VLAN tag. Hence, the firewall first narrows the classification to a
subinterface based on the source IP address in the packet. The policies defined for the zone are evaluated and
applied before the packet exits from the corresponding subinterface.
For return-path traffic, the firewall compares the destination IP address as defined in the IP classifier on the
customer-facing subinterface and selects the appropriate virtual wire to route traffic through the accurate
subinterface.

The same VLAN tag must not be defined on the parent virtual wire interface and the subinterface.
Verify that the VLAN tags defined on the Tag Allowed list of the parent virtual wire interface
(Network > Virtual Wires) are not included on a subinterface.

Layer 2 Deployments

In a Layer 2 deployment, the firewall provides switching between two or more networks. Each group of
interfaces must be assigned to a VLAN object in order for the firewall to switch between them. The firewall will
perform VLAN tag switching when layer 2 subinterfaces are attached to a common VLAN object. Choose this
option when switching is required.

Figure: Layer 2 Deployment

Layer 3 Deployments

In a Layer 3 deployment, the firewall routes traffic between multiple ports. An IP address must be assigned to
each interface and a virtual router must be defined to route the traffic. Choose this option when routing is
required.

Figure: Layer 3 Deployment

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 495

Copyright © 2007-2015 Palo Alto Networks

Interface Deployments Networking

In addition, because the firewall must route traffic in a Layer 3 deployment, you must configure a virtual router.
See Configure a Virtual Router.

Point-to-Point Protocol over Ethernet Support

You can configure the firewall to be a Point-to-Point Protocol over Ethernet (PPPoE) termination point to
support connectivity in a Digital Subscriber Line (DSL) environment where there is a DSL modem but no other
PPPoE device to terminate the connection.
You can choose the PPPoE option and configure the associated settings when an interface is defined as a Layer
3 interface.

PPPoE is not supported in HA active/active mode.

DHCP Client

You can configure the firewall interface to act as a DHCP client and receive a dynamically assigned IP address.
The firewall also provides the capability to propagate settings received by the DHCP client interface into a
DHCP server operating on the firewall. This is most commonly used to propagate DNS server settings from
an Internet service provider to client machines operating on the network protected by the firewall.

DHCP client is not supported in HA active/active mode.

Tap Mode Deployments

A network tap is a device that provides a way to access data flowing across a computer network. Tap mode
deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror
port.
The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an
interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN
port provides the firewall with the mirrored traffic. This provides application visibility within the network
without being in the flow of network traffic.

When deployed in tap mode, the firewall is not able to take action, such as blocking traffic or
applying QoS traffic control.

496 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure a Virtual Router

Configure a Virtual Router

The firewall uses virtual routers to obtain routes to other subnets by manually defining a route (static routes) or
through participation in Layer 3 routing protocols (dynamic routes). The best routes obtained through these
methods are used to populate the firewall’s IP route table. When a packet is destined for a different subnet, the
Virtual Router obtains the best route from this IP route table and forwards the packet to the next hop router
defined in the table.
The Ethernet interfaces and VLAN interfaces defined on the firewall receive and forward the Layer 3 traffic.
The destination zone is derived from the outgoing interface based on the forwarding criteria, and policy rules
are consulted to identify the security policies to be applied. In addition to routing to other network devices,
virtual routers can route to other virtual routers within the same firewall if a next hop is specified to point to
another virtual router.
You can configure the virtual router to participate with dynamic routing protocols (BGP, OSPF, or RIP) as well
as adding static routes. You can also create multiple virtual routers, each maintaining a separate set of routes that
are not shared between virtual routers, enabling you to configure different routing behaviors for different
interfaces.
Each Layer 3 interface, loopback interface, and VLAN interface defined on the firewall must be associated with
a virtual router. While each interface can belong to only one virtual router, multiple routing protocols and static
routes can be configured for a virtual router. Regardless of the static routes and dynamic routing protocols
configured for a virtual router, a common general configuration is required. The firewall uses Ethernet
switching to reach other devices on the same IP subnet.
The following Layer 3 routing protocols are supported from Virtual Routers:

 RIP

 OSPF

 OSPFv3

 BGP

Define a Virtual Router General Configuration

Step 1 Gather the required information from • Interfaces that you want to route
your network administrator. • Administrative distances for Static, OSFP internal, OSPF external,
IBGP, EBGP and RIP

Step 2 Create the virtual router and name it. 1. Select Network > Virtual Routers>.
2. Click Add and enter a name for the virtual router.
3. Select interfaces to apply to the virtual router.
4. Click OK.

Step 3 Select interfaces to apply to the virtual 1. Click Add in the Interfaces box.
router. 2. Select an already defined interface from the drop-down.
3. Repeat Step 2 for all interfaces that you want to add to the
virtual router.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 497

Copyright © 2007-2015 Palo Alto Networks

Configure a Virtual Router Networking

Define a Virtual Router General Configuration (Continued)

Step 4 Set Administrative Distances for static 1. Set Administrative Distances as required.
and dynamic routing. • Static — Range: 10-240, Default: 10
• OSPF Internal — Range: 10-240, Default: 30
• OSPF External — Range: 10-240, Default: 110
• IBGP —Range: 10-240, Default: 200
• EBGP —Range: 10-240, Default: 20
• RIP —Range: 10-240, Default: 120
Step 5 Save virtual router general settings. Click OK to save your settings.

Step 6 Commit your changes. Click Commit. The device may take up to 90 seconds to save your
changes.

498 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure Static Routes

Configure Static Routes

The following procedure shows how to integrate the firewall into the network using static routing.

Set Up Interfaces and Zones

Step 1 Configure a default route to your 1. Select Network > Virtual Router and then select the default
Internet router. link to open the Virtual Router dialog.
2. Select the Static Routes tab and click Add. Enter a Name for the
route and enter the route in the Destination field (for example,
0.0.0.0/0).
3. Select the IP Address radio button in the Next Hop field and
then enter the IP address and netmask for your Internet gateway
(for example, 208.80.56.1).
4. Click OK twice to save the virtual router configuration.

Step 2 Configure the external interface (the 1. Select Network > Interfaces and then select the interface you
interface that connects to the Internet). want to configure. In this example, we are configuring
Ethernet1/3 as the external interface.
2. Select the Interface Type. Although your choice here depends
on your network topology, this example shows the steps for
Layer3.
3. In the Virtual Router drop-down, select default.
4. On the Config tab, select New Zone from the Security Zone
drop-down. In the Zone dialog, define a Name for new zone,
for example Untrust, and then click OK.
5. To assign an IP address to the interface, select the IPv4 tab and
Static radio button. Click Add in the IP section, and enter the
IP address and network mask to assign to the interface, for
example 208.80.56.100/24.
6. To enable you to ping the interface, select Advanced > Other
Info, expand the Management Profile drop-down, and select
New Management Profile. Enter a Name for the profile, select
Ping and then click OK.
7. To save the interface configuration, click OK.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 499

Copyright © 2007-2015 Palo Alto Networks

Configure Static Routes Networking

Set Up Interfaces and Zones (Continued)

Step 3 Configure the interface that connects to 1. Select Network > Interfaces and select the interface you want
your internal network. to configure. In this example, we are configuring Ethernet1/4 as
the internal interface.
In this example, the interface
connects to a network segment 2. Select Layer3 from the Interface Type drop down.
that uses private IP addresses. 3. On the Config tab, expand the Security Zone drop-down and
Because private IP addresses select New Zone. In the Zone dialog, define a Name for new
cannot be routed externally, you zone, for example Trust, and then click OK.
will have to configure NAT. See 4. Select the same Virtual Router you used in Step 2, default in this
Configure NAT Policies for example.
details.
5. To assign an IP address to the interface, select the IPv4 tab and
the Static radio button, click Add in the IP section, and enter the
IP address and network mask to assign to the interface, for
example 192.168.1.4/24.
6. To enable you to ping the interface, select the management
profile that you created in Step 2-6.
7. To save the interface configuration, click OK.
Step 4 Configure the interface that connects to 1. Select the interface you want to configure.
the DMZ. 2. Select Layer3 from the Interface Type drop down. In this
example, we are configuring Ethernet1/13 as the DMZ
interface.
3. On the Config tab, expand the Security Zone drop-down and
select New Zone. In the Zone dialog, define a Name for new
zone, for example DMZ, and then click OK.
4. Select the Virtual Router you used in Step 2, default in this
example.
5. To assign an IP address to the interface, select the IPv4 tab and
the Static radio button, click Add in the IP section, and enter the
IP address and network mask to assign to the interface, for
example 10.1.1.1/24.
6. To enable you to ping the interface, select the management
profile that you created in Step 2-6.
7. To save the interface configuration, click OK.

Step 5 Save the interface configuration. Click Commit.

Step 6 Cable the firewall. Attach straight through cables from the interfaces you configured to
the corresponding switch or router on each network segment.

Step 7 Verify that the interfaces are active. From the web interface, select Network > Interfaces and verify that
icon in the Link State column is green. You can also monitor link
state from the Interfaces widget on the Dashboard.

500 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure RIP

Configure RIP
RIP was designed for small IP networks and relies on hop count to determine routes; the best routes have the
fewest number of hops. RIP is based on UDP and uses port 520 for route updates. By limiting routes to a
maximum of 15 hops, the protocol helps prevent the development of routing loops, but also limits the
supported network size. If more than 15 hops are required, traffic is not routed. RIP also can take longer to
converge than OSPF and other routing protocols. The firewall supports RIP v2.

Configure RIP

Step 1 Configure general virtual router See Configure a Virtual Router for details.
configuration settings.

Step 2 Configure general RIP configuration 1. Select the RIP tab.

settings. 2. Select the Enable check box to enable the RIP protocol.
3. Select the Reject Default Route check box if you do not want to
learn any default routes through RIP. This is the recommended
default setting.
4. De-select the Reject Default Route check box if you want to
permit redistribution of default routes through RIP.

Step 3 Configure interfaces for the RIP protocol. 1. Select the Interfaces subtab.
2. Select an interface from the drop-down in the Interface
configuration box.
3. Select an already defined interface from the drop-down.
4. Select the Enable check box.
5. Select the Advertise check box to advertise a default route to
RIP peers with the specified metric value.
6. You can optionally select a profile from the Auth Profile
drop-down. See Step 5 for details.
7. Select normal, passive or send-only from the Mode drop-down.
8. Click OK.

Step 4 Configure RIP timers. 1. Select the Timers sub-tab.

2. Enter a value in the Interval Seconds (sec) box that defines the
length of the timer interval in seconds. This duration is used for
the remaining RIP timing fields. Default: 1. Range: 1 - 60.
3. Enter a value in the Update Intervals box that defines the
number of intervals between route update announcements
Default: 30. Range: 1 - 3600.
4. Enter a value in the Delete Intervals box that defines the
number of intervals between the time that the route expires to
its deletion Default: 180. Range: 1 - 3600.
5. Enter a value in the Expire Intervals box that defines the
number of intervals between the time that the route was last
updated to its expiration Default: 120. Range: 1 - 3600.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 501

Copyright © 2007-2015 Palo Alto Networks

Configure RIP Networking

Configure RIP

Step 5 (Optional) Configure Auth Profiles. By default, the firewall does not use RIP authentication for the
exchange between RIP neighbors. Optionally, you can configure RIP
authentication between RIP neighbors by either a simple password
or using MD5 authentication.
Simple Password RIP authentication
1. Select the Auth Profiles sub tab.
2. Click Add.
3. Enter a name for the authentication profile to authenticate RIP
messages.
4. Select Simple Password as the Password Type.
5. Enter a simple password and then confirm.
MD5 RIP authentication
1. Select the Auth Profiles subtab.
2. Click Add.
3. Enter a name for the authentication profile to authenticate RIP
messages.
4. Select MD5 as the Password Type.
5. Click Add.
6. Enter one or more password entries, including:
• Key-ID Range 0-255
• Key
7. You can optionally select Preferred status.
8. Click OK. to specify the key to be used to authenticate outgoing
message.
9. Click OK again in the Virtual Router - RIP Auth Profile
configuration box.

502 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

Configure OSPF
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) which is most often used to dynamically
manage network routes in large enterprise network. It determines routes dynamically by obtaining information
from other routers and advertising routes to other routers by way of Link State Advertisements (LSAs). The
information gathered from the LSAs is used to construct a topology map of the network. This topology map
is shared across routers in the network and used to populate the IP routing table with available routes.
Changes in the network topology are detected dynamically and used to generate a new topology map within
seconds. A shortest path tree is computed of each route. Metrics associated with each routing interface are used
to calculate the best route. These can include distance, network throughput, link availability etc. Additionally,
these metrics can be configured statically to direct the outcome of the OSPF topology map.
Palo Alto networks implementation of OSPF fully supports the following RFCs:

 RFC 2328 (for IPv4)

 RFC 5340 (for IPv6)

The following topics provide more information about the OSPF and procedures for configuring OSPF on the
firewall:
 OSPF Concepts
 Configure OSPF
 Configure OSPFv3
 Configure OSPF Graceful Restart
 Confirm OSPF Operation
Also refer to How to Configure OSPF Tech Note.

OSPF Concepts

The following topics introduce the OSPF concepts you will need to understand in order to configure the firewall
to participate in an OSPF network:
 OSPFv3
 OSPF Neighbors
 OSPF Areas
 OSPF Router Types

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 503

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

OSPFv3

OSPFv3 provides support for the OSPF routing protocol within an IPv6 network. As such, it provides support
for IPv6 addresses and prefixes. It retains most of the structure and functions in OSPFv2 (for IPv4) with some
minor changes. The following are some of the additions and changes to OSPFv3:

 Support for multiple instances per link—With OSPFv3 you can run multiple instances of the OSPF
protocol over a single link. This is accomplished by assigning an OSPFv3 instance ID number. An interface
that is assigned to an instance ID drops packets that contain a different ID.

 Protocol Processing Per-link—OSPFv3 operates per-link instead of per-IP-subnet as on OSPFv2.

 Changes to Addressing—IPv6 addresses are not present in OSPFv3 packets, except for LSA payloads
within link state update packets. Neighboring routers are identified by the Router ID.

 Authentication Changes—OSPFv3 doesn't include any authentication capabilities. Configuring OSPFv3

on a firewall requires an authentication profile that specifies Encapsulating Security Payload (ESP) or IPv6
Authentication Header (AH).The re-keying procedure specified in RFC 4552 is not supported in this release.

 Support for multiple instances per-link—Each instance corresponds to an instance ID contained in the
OSPFv3 packet header.

 New LSA Types—OSPFv3 supports two new LSA types: Link LSA and Intra Area Prefix LSA.
All additional changes are described in detail in RFC 5340.

OSPF Neighbors

Two OSPF-enabled routers connected by a common network and in the same OSPF area that form a
relationship are OSPF neighbors. The connection between these routers can be through a common broadcast
domain or by a point-to-point connection. This connection is made through the exchange of hello OSPF
protocol packets. These neighbor relationships are used to exchange routing updates between routers.

OSPF Areas

OSPF operates within a single autonomous system (AS). Networks within this single AS however, can be
divided into a number of Areas. By default, Area 0 is created. Area 0 can either function alone or act as the OSPF
backbone for a larger number of Areas. Each OSPF area is named using a 32-bit identifier which in most cases
written in the same dot-decimal notation as an IP4 address. For example, Area 0 is usually written as 0.0.0.0.
The topology of an area is maintained in its own link state database and is hidden from other areas which
reduces the amount routing traffic required by OSPF. Topology is then shared in a summarized form between
areas by a connecting router.

504 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

OSPF Area Types

Backbone Area—The backbone are (Area 0) is the core of an OSPF network. All other areas are connected
to it and all traffic between areas must traverse it. All routing between areas is distributed through the backbone
area. While all other OSPF areas must connect to the backbone area, this connection doesn’t need to be direct
and can be made through a virtual link.
Normal OSPF Area—In a normal OSPF area there are no restrictions; the area can carry all types of routes.
Stub OSPF Area—A stub area does not receive routes from other Autonomous Systems. Routing from the
stub area is performed through the default route to the backbone area.
NSSA Area—The Not So Stubby Area (NSSA) is a type of stub area that can import external routes with some
limited exceptions.

OSPF Router Types

Within an OSPF area, routers are divided into the following categories.
Internal Router—A router with that only has OSPF neighbor relationships with devices in the same area.
Area Border router (ABR)—A router that has OSPF neighbor relationships with devices in multiple areas.
ABRs gather topology information from their attached areas and distribute it to the backbone area.
Backbone router—A backbone router is any OSPF router that is attached to the OSPF backbone. Since ABRs
are always connected to the backbone, they are always classified as backbone routers.
Autonomous System Boundary Router (ASBR)—An ASBR is a router that attaches to more than one
routing protocol and exchanges routing information between them.

Configure OSPF

OSPF determines routes dynamically by obtaining information from other routers and advertising routes to
other routers by way of Link State Advertisements (LSAs). The router keeps information about the links
between it and the destination and can make highly efficient routing decisions. A cost is assigned to each router
interface, and the best routes are determined to be those with the lowest costs, when summed over all the
encountered outbound router interfaces and the interface receiving the LSA.
Hierarchical techniques are used to limit the number of routes that must be advertised and the associated LSAs.
Because OSPF dynamically processes a considerable amount of route information, it has greater processor and
memory requirements than does RIP.

Configure OSPF

Step 1 Configure general virtual router See Configure a Virtual Router for details.
configuration settings.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 505

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

Configure OSPF (Continued)

Step 2 Configure general OSPF configuration 1. Select the OSPF tab.

settings. 2. Select the Enable check box to enable the OSPF protocol.
3. Select the Reject Default Route check box if you do not want to
learn any default routes through OSPF. This is the
recommended default setting.
4. De-select the Reject Default Route check box if you want to
permit redistribution of default routes through OSPF.

506 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

Configure OSPF (Continued)

Step 3 Configure Areas Type for the OSFP 1. Select the Areas sub tab and click Add.
protocol 2. Enter an Area ID for the area in x.x.x.x format. This is the
identifier that each neighbor must accept to be part of the same
area.
3. Select the Type sub-tab.
4. Select one of the following from the area Type drop down box:
• Normal – There are no restrictions; the area can carry all
types of routes.
• Stub – There is no outlet from the area. To reach a
destination outside of the area, it is necessary to go through
the border, which connects to other areas. If you select this
option, configure the following:
– Accept Summary – Link state advertisements (LSA) are
accepted from other areas. If this option on a stub area
Area Border Router (ABR) interface is disabled, the OSPF
area will behave as a Totally Stubby Area (TSA) and the
ABR will not propagate any summary LSAs.
– Advertise Default Route – Default route LSAs will be
included in advertisements to the stub area along with a
configured metric value in the configured range: 1-255.
• NSSA (Not-So-Stubby Area) – The firewall can only leave
the area by routes other than OSPF routes. If selected,
configure Accept Summary and Advertise Default Route
as described for Stub. If you select this option, configure the
following:
– Type – Select either Ext 1 or Ext 2 route type to advertise
the default LSA.
– Ext Ranges – Click Add in the section to enter ranges of
external routes that you want to enable or suppress
advertising for.
5. Priority—Enter the OSPF priority for this interface (0-255). It
is the priority for the router to be elected as a designated router
(DR) or as a backup DR (BDR) according to the OSPF
protocol. When the value is zero, the router will not be elected
as a DR or BDR.
• Auth Profile—Select a previously-defined authentication
profile.
• Timing—It is recommended that you keep the default
timing settings.
• Neighbors—For p2pmp interfaces, enter the neighbor IP
address for all neighbors that are reachable through this
interface.
6. Select normal, passive or send-only as the Mode.
7. Click OK.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 507

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

Configure OSPF (Continued)

Step 4 Configure Areas Range for the OSFP 1. Select the Range subtab.
protocol 2. Click Add to aggregate LSA destination addresses in the area
into subnets.
3. Advertise or Suppress advertising LSAs that match the subnet,
and click OK. Repeat to add additional ranges.

Step 5 Configure Areas Interfaces for the OSFP 1. Select the Interface subtab.
protocol 2. Click Add and enter the following information for each interface
to be included in the area, and click OK.
• Interface—Select an interface from the drop down box.
• Enable—Selecting this option causes the OSPF interface
settings to take effect.
• Passive—Select the check box to if you do not want the
OSPF interface to send or receive OSPF packets. Although
OSPF packets are not sent or received if you choose this
option, the interface is included in the LSA database.
• Link type—Choose Broadcast if you want all neighbors that
are accessible through the interface to be discovered
automatically by multicasting OSPF hello messages, such as
an Ethernet interface. Choose p2p (point-to-point) to
automatically discover the neighbor. Choose p2mp
(point-to-multipoint) when neighbors must be defined
manually. Defining neighbors manually is allowed only for
p2mp mode.
• Metric — Enter an OSPF metric for this interface. Default:
10. Range: 0-65535.
• Priority — Enter an OSPF priority for this interface. This is
the priority for the router to be elected as a designated router
(DR) or as a backup DR (BDR). Default: 1. Range: 0 - 255. If
zero is configured, the router will not be elected as a DR or
BDR.
• Auth Profile — Select a previously-defined authentication
profile.
• Timing — The following OSPF timing settings can be set
here: Hello Interval, Dead Counts, Retransmit Interval and
Transit Delay. Palo Alto Networks recommends that you
retain the default timing settings.
• If p2mp is selected for Link Type, interfaces, enter the
neighbor IP addresses for all neighbors that are reachable
through this interface.

508 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

Configure OSPF (Continued)

Step 6 Configure Areas Virtual Links. 1. Select the Virtual Link sub tab.
2. Click Add and enter the following information for each virtual
link to be included in the backbone area, and click OK:
• Name — Enter a name for the virtual link.
• Neighbor ID — Enter the router ID of the router (neighbor)
on the other side of the virtual link.
• Transit Area — Enter the area ID of the transit area that
physically contains the virtual link.
• Enable — Select to enable the virtual link.
• Timing — It is recommended that you keep the default
timing settings.
• Auth Profile — Select a previously-defined authentication
profile.

Step 7 (Optional) Configure Auth Profiles. By default, the firewall does not use OSPF authentication for the
exchange between OSPF neighbors. Optionally, you can configure
OSPF authentication between OSPF neighbors by either a simple
password or using MD5 authentication.
Simple Password OSPF authentication
1. Select the Auth Profiles subtab.
2. Click Add.
3. Enter a name for the authentication profile to authenticate
OSPF messages.
4. Select Simple Password as the Password Type.
5. Enter a simple password and then confirm.
MD5 OSPF authentication
1. Select the Auth Profiles subtab.
2. Click Add.
3. Enter a name for the authentication profile to authenticate
OSPF messages.
4. Select MD5 as the Password Type.
5. Click Add.
6. Enter one or more password entries, including:
• Key-ID Range 0-255
• Key
• Select the Preferred option to specify that the key be used to
authenticate outgoing messages.
7. Click OK.
8. Click OK again in the Virtual Router - OSPF Auth Profile
configuration box.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 509

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

Configure OSPF (Continued)

Step 8 Configure Advanced OSPF options. 1. Select the Advanced subtab.

2. Select the RFC 1583 Compatibility check box to assure
compatibility with RFC 1583.
3. Configure a value for the SPF Calculation Delay (sec) timer.
This timer allows you to tune the delay time between receiving
new topology information and performing an SPF calculation.
Lower values enable faster OSPF re-convergence. Routers
peering with the firewall should be tuned in a similar manner to
optimize convergence times.
4. Configure a value for the LSA Interval (sec) time, This timer
specifies the minimum time between transmissions of two
instances of the same LSA (same router, same type, same LSA
ID). This is equivalent to MinLSInterval in RFC 2328. Lower
values can be used to reduce re-convergence times when
topology changes occur.

Configure OSPFv3

Configure OSPFv3

Step 1 Configure general virtual router See Configure a Virtual Router for details.
configuration settings.

Step 2 Configure general OSPF configuration 1. Select the OSPF tab.

settings. 2. Select the Enable check box to enable the OSPF protocol.
3. Select the Reject Default Route check box if you do not want to
learn any default routes through OSPF. This is the
recommended default setting.
4. De-select the Reject Default Route check box if you want to
permit redistribution of default routes through OSPF.

Step 3 Configure general OSPFv3 configuration 1. Select the OSPFv3 tab.

settings. 2. Select the Enable check box to enable the OSPF protocol.
3. Select the Reject Default Route check box if you do not want to
learn any default routes through OSPFv3 This is the
recommended default setting.
De-select the Reject Default Route check box if you want to
permit redistribution of default routes through OSPFv3.

510 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

Configure OSPFv3 (Continued)

Step 4 Configure Auth Profile for the OSFPv3 When configuring an authentication profile you must use
protocol. Encapsulating Security Payload (ESP) or IPv6 Authentication
Header (AH).
While OSPFv3 doesn't include any
authentication capabilities of its own, ESP OSPFv3 authentication
instead, it relies entirely on IPsec to secure 1. Select the Auth Profiles subtab.
communications between neighbors. 2. Click Add.
3. Enter a name for the authentication profile to authenticate
OSPFv3 messages.
4. Specify a Security Policy Index (SPI). The SPI must match
between both ends of the OSPFv3 adjacency. The SPI number
must be a HEX value between 00000000 and FFFFFFFF.
5. Select ESP for Protocol.
6. Select a Crypto Algorithm from the drop down box.
You can enter none or one of the following algorithms: SHA1,
SHA256, SHA384, SHA512 or MD5.
7. If a Crypto Algorithm other than none was selected, enter a
value for Key and then confirm.
AH OSPFv3 authentication
1. Select the Auth Profiles subtab.
2. Click Add.
3. Enter a name for the authentication profile to authenticate
OSPFv3 messages.
4. Specify a Security Policy Index (SPI). The SPI must match
between both ends of the OSPFv3 adjacency. The SPI number
must be a HEX value between 00000000 and FFFFFFFF.
5. Select AH for Protocol.
6. Select a Crypto Algorithm from the drop-down.
You must enter one of the following algorithms: SHA1,
SHA256, SHA384, SHA512 or MD5.
7. Enter a value for Key and then confirm.
8. Click OK.
9. Click OK again in the Virtual Router - OSPF Auth Profile dialog.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 511

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

Configure OSPFv3 (Continued)

Step 5 Configure Areas Type for the OSFP 1. Select the Areas subtab.
protocol. 2. Click Add.
3. Enter an Area ID. This is the identifier that each neighbor must
accept to be part of the same area.
4. Select the General sub-tab.
5. Select one of the following from the area Type drop-down:
• Normal – There are no restrictions; the area can carry all
types of routes.
• Stub – There is no outlet from the area. To reach a
destination outside of the area, it is necessary to go through
the border, which connects to other areas. If you select this
option, configure the following:
– Accept Summary – Link state advertisements (LSA) are
accepted from other areas. If this option on a stub area
Area Border Router (ABR) interface is disabled, the OSPF
area will behave as a Totally Stubby Area (TSA) and the
ABR will not propagate any summary LSAs.
– Advertise Default Route – Default route LSAs will be
included in advertisements to the stub area along with a
configured metric value in the configured range: 1-255.
• NSSA (Not-So-Stubby Area) – The firewall can only leave the
area by routes other than OSPF routes. If selected, configure
Accept Summary and Advertise Default Route as described
for Stub. If you select this option, configure the following:
– Type – Select either Ext 1 or Ext 2 route type to advertise
the default LSA.
– Ext Ranges – Click Add in the section to enter ranges of
external routes that you want to enable or suppress
advertising for.

Step 6 Associate an OSPFv3 authentication To an Area

profile to an area or an interface. 1. Select the Areas subtab.
2. Select an existing area from the table.
3. Select a previously defined Authentication Profile from the
Authentication drop-down on the General subtab.
4. Click OK.
To an Interface
1. Select the Areas subtab.
2. Select an existing area from the table.
3. Select the Interface subtab and click Add.
4. Select the authentication profile you want to associate with the
OSPF interface from the Auth Profile drop- down.

512 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

Configure OSPFv3 (Continued)

Step 7 (Optional) Configure Export Rules 1. Select the Export subtab.

2. Click Add.
3. Select the Allow Redistribute Default Route check box to
permit redistribution of default routes through OSPFv3.
4. Select the name of a redistribution profile. The value must be an
IP subnet or valid redistribution profile name.
5. Select a metric to apply for New Path Type.
6. Specify a New Tag for the matched route that has a 32-bit value.
7. Assign a metric for the new rule.
The value can be: 1 - 65535.
8. Click OK.

Step 8 Configure Advanced OSPFv3 options. 1. Select the Advanced subtab.

2. Select the Disable Transit Routing for SPF Calculation check
box if you want the firewall to participate in OSPF topology
distribution without being used to forward transit traffic.
3. Configure a value for the SPF Calculation Delay (sec) timer.
This timer allows you to tune the delay time between receiving
new topology information and performing an SPF calculation.
Lower values enable faster OSPF re-convergence. Routers
peering with the firewall should be tuned in a similar manner to
optimize convergence times.
4. Configure a value for the LSA Interval (sec) time, This timer
specifies the minimum time between transmissions of two
instances of the same LSA (same router, same type, same LSA
ID). This is equivalent to MinLSInterval in RFC 2328. Lower
values can be used to reduce re-convergence times when
topology changes occur.
5. Configure the Graceful Restart section as described in
Configure OSPF Graceful Restart.

Configure OSPF Graceful Restart

OSPF Graceful Restart directs OSPF neighbors to continue using routes through a device during a short
transition when it is out of service. This increases network stability by reducing the frequency of routing table
reconfiguration and the related route flapping that can occur during short periodic down times.
For a Palo Alto Networks firewall this involves the following operations:

 Firewall as a restarting device—In a situation where the firewall will be down for a short period of time
or is unavailable for short intervals, it sends Grace LSAs to its OSPF neighbors. The neighbors must be
configured to run in Graceful Restart Helper mode. In Helper Mode, the neighbors receive the Grace LSAs
that inform it that the firewall will perform a graceful restart within a specified period of time defined as the
Grace Period. During the grace period, the neighbor continues to forward routes through the firewall and
to send LSAs that announce routes through the firewall. If the firewall resumes operation before expiration

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 513

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

of the grace period, traffic forwarding will continue as before without network disruption. If the firewall does
not resume operation after the grace period has expired, the neighbors will exit helper mode and resume
normal operation which will involve reconfiguring the routing table to bypass the firewall.

 Firewall as a Graceful Restart Helper—In a situation where neighboring routers may be down for a short
periods of time the firewall can be configured to operate in Graceful Restart Helper mode. If configured in
this mode, the firewall will be configured with a Max Neighbor Restart Time. When the firewall receives
the Grace LSAs from its OSFP neighbor, it will continue to route traffic to the neighbor and advertise routes
through the neighbor until either the grace period or max neighbor restart time expires. If neither expires
before the neighbor returns to service, traffic forwarding continues as before without network disruption.
If either period expires before the neighbor returns to service, the firewall will exit helper mode and resume
normal operation which will involve reconfiguring the routing table to bypass the neighbor.

Configure OSPF Graceful Restart

Step 1 Select Network > Virtual Routers and select the virtual router you want to configure.

Step 2 Select OSPF > Advanced.

Step 3 Verify that the following check boxes are selected (they are enabled by default).
Enable Graceful Restart, Enable Helper Mode, and Enable Strict LSA checking.

All should remain selected unless required by your topology.

Step 4 Configure a Grace Period in seconds.

Step 5 Configure a Max Neighbor Restart Time in seconds.

Confirm OSPF Operation

Once an OSPF configuration has been committed, you can use any of the following operations to confirm that
OSPF operating:
 View the Routing Table
 Confirm OSPF Adjacencies
 Confirm that OSPF Connections are Established

View the Routing Table

By viewing the routing table, you can see whether OSPF routes have been established. The routing table is
accessible from either the web interface or the CLI. If you are using the CLI, use the following commands:

 show routing route

 show routing fib

The following procedure describes how to use the web interface to view the route table.

514 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure OSPF

View the Routing Table

Step 1 Select Network > Virtual Routers

Step 2 Select the Routing tab and examine the Flags column of the routing table for routes that were learned by OSPF.

Confirm OSPF Adjacencies

By viewing the Neighbor tab as described in the following procedure, you can confirm that OSPF adjacencies
have been established.

View the Neighbor Tab to Confirm OSPF Adjacencies

Step 1 Select Network > Virtual Routers.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 515

Copyright © 2007-2015 Palo Alto Networks

Configure OSPF Networking

View the Neighbor Tab to Confirm OSPF Adjacencies

Step 2 Select OSPF > Neighbor and examine the Status column to determine if OSPF adjacencies have been established.

Confirm that OSPF Connections are Established

By viewing the system log, you can confirm that OSPF connections have been established as described in the
following procedure:

Examine the System Log

Step 1 Select Monitor> System and look for messages confirm that OSPF adjacencies have been established.

Step 2 Select OSPF > Neighbor sub tab and examine the Status column to determine if OSPF adjacencies have been
established.

516 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure BGP

Configure BGP
The Border Gateway Protocol (BGP) is the primary Internet routing protocol. BGP determines network
reachability based on IP prefixes that are available within autonomous systems (AS), where an AS is a set of IP
prefixes that a network provider has designated to be part of a single routing policy.
In the routing process, connections are established between BGP peers (or neighbors). If a route is permitted
by the policy, it is stored in the routing information base (RIB). Each time the local firewall RIB is updated, the
firewall determines the optimal routes and sends an update to the external RIB, if export is enabled.
Conditional advertisement is used to control how BGP routes are advertised. The BGP routes must satisfy
conditional advertisement rules before being advertised to peers.
BGP supports the specification of aggregates, which combine multiple routes into a single route. During the
aggregation process, the first step is to find the corresponding aggregation rule by performing a longest match
that compares the incoming route with the prefix values for other aggregation rules.
For more information on BGP, refer to How to Configure BGP Tech Note.
The firewall provides a complete BGP implementation that includes the following features:
 Specification of one BGP routing instance per virtual router.

 Routing policies based on route-map to control import, export and advertisement, prefix-based filtering, and
address aggregation.

 Advanced BGP features that include route reflector, AS confederation, route flap dampening, and graceful
restart.

 IGP-BGP interaction to inject routes to BGP using redistribution profiles.

BGP configuration consists of the following elements:
 Per-routing-instance settings, which include basic parameters such as local route ID and local AS and
advanced options such as path selection, route reflector, AS confederation, route flap, and dampening
profiles.

 Authentication profiles, which specify the MD5 authentication key for BGP connections.
 Peer group and neighbor settings, which include neighbor address and remote AS and advanced options
such as neighbor attributes and connections.

 Routing policy, which specifies rule sets that peer groups and peers use to implement imports, exports,
conditional advertisements, and address aggregation controls.

Configure BGP

Step 1 Configure general virtual router See Configure a Virtual Router for details.
configuration settings.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 517

Copyright © 2007-2015 Palo Alto Networks

Configure BGP Networking

Configure BGP (Continued)

Step 2 Configure standard BGP configuration 1. Select the BGP tab.

settings. 2. Select the Enable check box to enable the BGP protocol.
3. Assign an IP address to the virtual router in the Router ID box.
4. Enter the number of the AS to which the virtual router belongs
in the AS Number box, based on the router ID. Range:
1-4294967295

Step 3 Configure general BGP configuration 1. Select BGP > General.

settings. 2. Select the Reject Default Route check box to ignore any default
routes that are advertised by BGP peers.
3. Select the Install Route check box to install BGP routes in the
global routing table.
4. Select the Aggregate MED check box to enable route
aggregation even when routes have different Multi-Exit
Discriminator (MED) values.
5. Enter a value for the Default Local Preference that specifies a
value than can be used to determine preferences among
different paths.
6. Select one of the following values for the AS format for
interoperability purposes:
• 2 Byte (default value)
• 4 Byte
7. Enable or disable each of the following values for Path
Selection:
• Always Compare MED — Enable this comparison to choose
paths from neighbors in different autonomous systems.
• Deterministic MED Comparison — Enable this comparison
to choose between routes that are advertised by IBGP peers
(BGP peers in the same autonomous system).
8. Click Add to include a new authentication profile and configure
the following settings:
• Profile Name—Enter a name to identify the profile.
• Secret/Confirm Secret—Enter and confirm a passphrase
for BGP peer communications.

518 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure BGP

Configure BGP (Continued)

Step 4 Configure BGP Advanced settings 1. On the Advanced subtab, select Graceful Restart and configure
(Optional) the following timers:
• Stale Route Time (sec)—Specifies the length of time in
seconds that a route can say in the stale state. Range: 1 - 3600
seconds. Default: 120 seconds.
• Local Restart Time (sec)—Specifies the length of time in
seconds that the local device waits to restart. This value is
advertised to peers. Range: 1 - 3600 seconds. Default: 120
seconds.
• Max Peer Restart Time (sec)—Specifies the maximum
length of time in seconds that the local device accepts as a
grave period restart time for peer devices. Range: 1 - 3600
seconds. Default: 120 seconds.
2. Specify an IPv4 identifier to represent the reflector cluster in the
Reflector Cluster ID box.
3. Specify the identifier for the AS confederation to be presented
as a single AS to external BGP peers in the Confederation
Member AS box.
4. Click Add and enter the following information for each
Dampening Profile that you want to configure, select Enable,
and click OK:
• Profile Name—Enter a name to identify the profile.
• Cutoff—Specify a route withdrawal threshold above which a
route advertisement is suppressed. Range: 0.0-1000.0.
Default: 1.25.
• Reuse—Specify a route withdrawal threshold below which a
suppressed route is used again. Range: 0.0-1000.0. Default: 5.
• Max Hold Time (sec)—Specify the maximum length of time
in seconds that a route can be suppressed, regardless of how
unstable it has been. Range: 0-3600 seconds. Default: 900
seconds.
• Decay Half Life Reachable (sec)—Specify the length of time
in seconds after which a route’s stability metric is halved if the
route is considered reachable Range: 0-3600 seconds.
Default: 300 seconds.
• Decay Half Life Unreachable (sec)—Specify the length of
time in seconds after which a route’s stability metric is halved
if the route is considered unreachable. Range: 0 - 3600
seconds. Default: 300 seconds.
5. Click OK.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 519

Copyright © 2007-2015 Palo Alto Networks

Configure BGP Networking

Configure BGP (Continued)

Step 5 Configure the BGP peer group. 1. Select the Peer Group subtab and click Add.
2. Enter a Name for the peer group and select Enable.
3. Select the Aggregated Confed AS Path check box to include a
path to the configured aggregated confederation AS.
4. Select the Soft Reset with Stored Info check box to perform a
soft reset of the firewall after updating the peer settings.
5. Specify the type of peer or group from the Type drop down box
and configure the associated settings (see below in this table for
descriptions of Import Next Hop and Export Next Hop).
• IBGP—Export Next Hop: Specify Original or Use self
• EBGP Confed—Export Next Hop: Specify Original or Use
self
• EBGP Confed—Export Next Hop: Specify Original or Use
self
• EBGP—Import Next Hop: Specify Original or Use self,
Export Next Hop: Specify Resolve or Use self. Select
Remove Private AS if you want to force BGP to remove
private AS numbers.
6. Click OK to save.

Step 6 Configure Import and Export rules. 1. Select the Import tab and then click Add and enter a name in the
Rules field and select the Enable check box.
The import/export rules are used to
import/export routes from/to other 2. Click Add and select the Peer Group to which the routes will be
routers. For example, importing the imported from.
default route from your Internet Service 3. Click the Match tab and define the options used to filter routing
Provider. information. You can also define the Multi-Exit Discriminator
(MED) value and a next hop value to routers or subnets for
route filtering. The MED option is an external metric that lets
neighbors know about the preferred path into an AS. A lower
value is preferred over a higher value.
4. Click the Action tab and define the action that should occur
(allow/deny) based on the filtering options defined in the Match
tab. If Deny is selected, no further options need to be defined.
If the Allow action is selected, define the other attributes.
5. Click the Export tab and define export attributes, which are
similar to the Import settings, but are used to control route
information that is exported from the firewall to neighbors.
6. Click OK to save.

520 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks

Networking Configure BGP

Configure BGP (Continued)

Step 7 Configure conditional advertising, which 1. Select the Conditional Adv tab, click Add and enter a name in the
allows you to control what route to Policy field.
advertise in the event that a different 2. Select the Enable check box.
route is not available in the local BGP
3. Click Add and in the Used By section enter the peer group(s)
routing table (LocRIB), indicating a
that will use the conditional advertisement policy.
peering or reachability failure. This is
useful in cases where you want to try and 4. Select the Non Exist Filter tab and define the network prefix(es)
force routes to one AS over another, for of the preferred route. This specifies the route that you want to
example if you have links to the Internet advertise, if it is available in the local BGP routing table. If a
through multiple ISPs and you want prefix is going to be advertised and matches a Non Exist filter,
traffic to be routed to one provider the advertisement will be suppressed.
instead of the other unless there is a loss 5. Select the Advertise Filters tab and define the prefix(es) of the
of connectivity to the preferred provider. route in the Local-RIB routing table that should be advertised in
the event that the route in the non-exist filter is not available in
the local routing table. If a prefix is going to be advertised and
does not match a Non Exist filter, the advertisement will occur.

Step 8 Configure aggregate options to 1. Select the Aggregate tab, click Add and enter a name for the
summaries routes in the BGP aggregate address.
configuration. 2. In the Prefix field, enter the network prefix that will be the
BGP route aggregation is used to control primary prefix for the aggregated prefixes.
how BGP aggregates addresses. Each 3. Select the Suppress Filters tab and define the attributes that
entry in the table results in one aggregate will cause the matched routes to be suppressed.
address being created. This will result in 4. Select the Advertise Filters tab and define the attributes that
an aggregate entry in the routing table will cause the matched routes to always be advertised to peers.
when at least one or more specific route
matching the address specified is learned.

Step 9 Configure redistribution rules. 1. Select the Redist Rules tab and click Add.
This rule is used to redistribute host 2. In the Name field, enter an IP subnet or select a redistribution
routes and unknown routes that are not profile. You can also configure a new redistribution profile from
on the local RIB to the peers routers. the drop-down menu if needed.
3. Click the Enable check box to Enable the rule.
4. In the Metric field, enter the route metric that will be used for
the rule.
5. In the Set Origin drop down, select incomplete, igp, or egp.
6. Optionally set MED, local preference, AS path limit and
community values.

Palo Alto Networks PAN-OS 6.0 Administrator’s Guide • 521

Copyright © 2007-2015 Palo Alto Networks

Configure BGP Networking

522 • PAN-OS 6.0 Administrator’s Guide Palo Alto Networks

Copyright © 2007-2015 Palo Alto Networks