Advertising a non-existent route to BGP in PAN
Normally if you want to advertise a route to your BGP neighbor, the route you want to announce must be available in your routing table but in Palo Alto Networks there is a nice trick which is quite handy. Where can it be really handy? For example you have a subnet which you only use in your NAT pool which doesn’t really need any next hop. In this case this config plays a nice role.
For example you want to announce your route 144.122.122.0/24 add this under the menu as screenshot and make sure your “Export” rules don’t really block this subnet being advertised otherwise you won’t see it in your RIB-OUT.
With the help of this handy config, your peer router will receive your nat-pool subnet although you haven’t really added this in your routing table (PAN does this dummy route automatically as far as I can see)
Palo has by far the worst implementation of redistribution of a null0 route. That routing static is pathetic.
hahahahaah agreed! All Palo BGP routing is horrible!
In general CLI navigation for me:)
Thanks man, you are life savior! Thank you.
Hero. Was trying to figure out to advertise a GlobalProtect IP pool and this was the key. Nice one.
Thanks for the feedback!
This might help you.
Symptom
When BGP aggregation is configured on PANOS, a discard route is automatically inserted into the routing table. Other vendors use a different terminology such as null route but the concept is essentially the same.
Environment
All versions of PANOS
BGP
Hardware/VM-Series NGFW
Cause
The discard route is inserted as an efficiency mechanism to prevent route lookups and/or route forwarding via the default route for prefixes that have no specific or longer-prefix match on the routing table. In this illustration, the firewall is learning about the prefix 10.10.0.0/24 from one of its BGP peers and, in turn, it is aggregating that prefix to 10.10.0.0/16 which it then advertises to its peers.
When the device receives traffic destined to an IP address within the aggregate range but outside the parent subnet(s), the firewall simply drops the traffic. For example, traffic destined to 10.10.1.25, which overlaps with the aggregate, is dropped because it is outside the subnet 10.10.0.0/24. The only exception is if this address matches an existing [BGP] subnet on the routing table such as 10.10.0.0/17, etc.
Resolution
Discard route is automatically inserted in the routing table for BGP aggregate routes.
Additional Information
This article assumes the reader is familiar with how to configure BGP/route aggregation.
Palo explains the default behavior: (02/10/22)
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NC9CAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
They want you to configure it this way: (09/25/18)
Palo Alto Networks Support for Null Routes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clh9CAC#:~:text=Create%20an%20unnumbered%20dummy%20tunnel,option%20selected%20as%20%22none%22