BGP Peer Group Tab
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
BGP Peer Group Tab
- Network > Virtual Router > BGP > Peer Group
A BGP peer group is a collection of BGP peers that share settings,
such as the type of peer group (EBGP, for example), or the setting
to remove private AS numbers from the AS_PATH list that the virtual
router sends in Update packets. BGP peer groups save you from having
to configure multiple peers with the same settings. You must configure
at least one BGP peer group in order to configure the BGP peers
that belong to the group.
BGP Peer Group Settings | Configure In | Description |
---|---|---|
Name | BGPPeer Group | Enter a name to identify the peer group. |
Enable | Select to activate the peer group. | |
Aggregated Confed AS Path | Select to include a path to the configured
aggregated confederation AS. | |
Soft Reset with Stored Info | Select to perform a soft reset of the firewall
after updating the peer settings. | |
Type | Specify the type of peer or group and configure
the associated settings (see below in this table for descriptions
of Import Next Hop and Export
Next Hop).
| |
Import Next Hop | Choose an option for next hop import:
| |
Export Next Hop | Choose an option for next hop export:
| |
Remove Private AS | Select to remove private autonomous systems
from the AS_PATH list. | |
Name | BGPPeer GroupPeer | Add a New BGP peer
and enter a name to identify it. |
Enable | Select to activate the peer. | |
Peer AS | Specify the autonomous system (AS) of the
peer. | |
Enable MP-BGP Extensions | BGPPeer GroupPeerAddressing | Enables the firewall to support the Multiprotocol
BGP Address Family Identifier for IPv4 and IPv6 and Subsequent Address Family
Identifier options per RFC 4760. |
Address Family Type | Select either the IPv4 or IPv6 address
family that BGP sessions with this peer will support. | |
Subsequent Address Family | Select either the Unicast or Multicast subsequent
address family protocol the BGP sessions with this peer will carry. | |
Local Address—Interface | Choose a firewall interface. | |
Local Address—IP | Choose a local IP address. | |
Peer Address—Type and Address | Select the type of address that identifies
the peer:
| |
Auth Profile | BGPPeer GroupPeerConnection Options | Select a profile or select New
Auth Profile from the drop down. Enter a Profile Name and
the Secret, and Confirm Secret. |
Keep Alive Interval | Specify an interval after which routes from
a peer are suppressed according to the hold time setting (range
is 0-1,200 seconds; default is 30 seconds). | |
Multi Hop | Set the time-to-live (TTL) value in the
IP header (range is 0 to 255; default is 0). The default value of
0 means 1 for eBGP. The default value of 0 means 255 for iBGP. | |
Open Delay Time | Specify the delay time between opening the
peer TCP connection and sending the first BGP open message (range
is 0-240 seconds; default is 0 seconds). | |
Hold Time | Specify the period of time that may elapse
between successive KEEPALIVE or UPDATE messages from a peer before
the peer connection is closed (range is 3-3,600 seconds; default
is 90 seconds). | |
Idle Hold Time | Specify the time to wait in the idle state
before retrying connection to the peer (range is 1-3,600 seconds;
default is 15 seconds). | |
Incoming Connections—Remote Port | Specify the incoming port number and Allow traffic
to this port. | |
Outgoing Connections—Local Port | Specify the outgoing port number and Allow traffic
from this port | |
Reflector Client | BGPPeer GroupPeerAdvanced | Select the type of reflector client (Non-Client, Client,
or Meshed Client). Routes that are received
from reflector clients are shared with all internal and external
BGP peers. |
Peering Type | Specify a Bilateral peer or leave Unspecified. | |
Max Prefixes | Specify the maximum number of IP prefixes to import from the peer (1 to 100,000 or
unlimited). | |
Enable Sender Side Loop Detection |
Enable to cause the firewall to check the AS_PATH attribute of a
route in the BGP RIB before it sends the route in an update, to
ensure that the peer AS number isn't in the AS_PATH list. The
firewall doesn't advertise the route if the peer AS number is in the
AS_PATH list. Usually the receiver detects loops, but this
optimization feature has the sender perform the loop detection.
Disable this feature to have the receiver perform loop
detection.
| |
BFD | To enable Bidirectional Forwarding Detection
(BFD) for a BGP peer (and thereby override the BFD setting
for BGP, as long as BFD is not disabled for
BGP at the virtual router level), select the default profile (default
BFD settings), an existing BFD profile, Inherit-vr-global-setting (to
inherit the global BGP BFD profile), or New BFD Profile (to
create a new BFD profile). Disable BFD disables
BFD for the BGP peer. If you enable
or disable BFD globally, all interfaces running BGP will be taken
down and brought back up with the BFD function. This can disrupt
all BGP traffic. When you enable BFD on the interface, the firewall
will stop the BGP connection to the peer to program BFD on the interface.
The peer device will see the BGP connection drop, which can result
in a reconvergence that impacts production traffic. Therefore, enable
BFD on BGP interfaces during an off-peak time when a reconvergence will
not impact production traffic. |