BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

With PAN-OS 10.2, Palo Alto Networks has introduced the “Advanced Routing Engine” (ARE) with its “Logical Routers” (LR) rather than the legacy “Virtual Routers” (VR).

The Advanced Routing Engine simplifies operations with a standards-based configuration, which reduces your learning curve since it is similar to that of other router vendors.

The neat thing, as always: You can configure everything through the GUI. Here’s a basic example of how I’m using a prefix list to filter incoming BGP routes:

Lab Notes

  • PA-440 with PAN-OS 11.2.0, “Advanced Routing” enabled, AS 64512
  • A (fairly old but still working) Cisco 2811 router with IOS 15.1(4)M12a, AS 64513
  • transfer networks 2a00:6020:ad0b:8370::/64 respectively 10.0.70.0/30
  • eBGP between those two guys
  • IPv6 neighbouring for IPv6 routes
  • IPv4 neighbouring for IPv4 routes
  • four IPv6 networks announced by the Cisco router (I hate their upper case notations)
  • four IPv4 networks are announced as well

Initial Config

Straightforward, quick and dirty, using the “default” (read-only) BGP Address Family Profile for IPv4 and a similar one for IPv6:

Cisco router config for the sake of completeness. The /63 IPv6 routes are cosmetically done through null routes:

More Runtime Stats: (Note the BGP -> Routes section in which all IPv6 prefixes are listed twice, one with a next hop of the GUA and another one with the LL IPv6 address of the router, while the final route-/forwarding tables only list the LL ones.)

Show commands on the Palo. Note the show advanced-routing statements rather than the legacy show routing ones.

Route Filtering w/ Prefix Lists

The goal is to filter incoming routes against the following criteria:

  • only IPv6 routes out of the 2a00:6020:ad0b:8310::/60 range, only /64 networks
  • only IPv4 routes out of the 10.10.0.0/16 range, only /26 networks

That is: per Internet Protocol, only 1 out of the 4 incoming routes should be accepted since the others are either sent with a wrong network size or belong to an incorrect range. These are the configuration steps:

  1. Routing -> Routing Profiles -> Filters -> Prefix List: for each Internet Protocol, add an appropriate list. The “network/mask” section defines the overall range while the “prefix length” columns define the lower/upper boundaries of the network sizes. Note that the list has an “implicit deny any” at the end.
  2. Routing -> Routing Profiles -> BGP -> Filtering Profiles: for each IP, add a profile which references the just added prefix list as an inbound network filter.
  3. Now, for both neighbour/peer statements within the BGP section in the logical router, select these filtering profiles.

From now on, the routing table only lists the correct/wanted routes:

So does the CLI, of course:

While the following command reveals that all routes are still sent by the BGP peer and received by the Palo:

Q.E.D. ✅

Soli Deo Gloria!

Photo by Jakub Kapusnak on Unsplash.

One thought on “BGP Route Filtering with Palo’s Advanced Routing Engine (ARE)

  1. One information which is good to know: the Advanced Routing Engine is based on FRR
    https://frrouting.org/
    If you encounter any quirks or ask yourself what could be possible (if Palo would implement it) you can have a look at the FRR documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *