Tuesday, August 30, 2022

null-routing for PANOS using goBGPD

 Someone asked me to explain how to use gobgpd with palo alto firewalls based off this previous blog that was posted

http://socpuppet.blogspot.com/2022/03/gogogo-gobpd-for-rtbh-injection.html


PANOS has a few pieces that you need to do


1st you need to setup BGP peer in the VR-instance ( default  in my case ) . Make sure to enable the peer and enable installing the routes.




 


It's best to set up a import policy ( optional ), so you can set the next-hop, weight,local-pref





For the next-hop to null, you need a discard route installed.


Make sure you check logs and rib table





For goBGP the configuration is still simple.


[global.config]

    as = 2

    router-id = "0.0.0.2"

    port = 179


[[mrt-dump]]

    [mrt-dump.config]

       # dump-type = "updates"

       #file-name = "/home/gobgpd/dump.dump"

       # dump-interval = 180

       # rotation-interval = 28800


[[neighbors]]

    [neighbors.config]

        peer-as = 1

        # auth-password = "password"

        neighbor-address = "198.206.234.255"

        local-as = 2


For route injection, we will use the typical gobgp global rib cmd



for p in ` cat ip.list  ` ;  

   #

   # ip.list is our ipv4 list of harvest /32 that are to be dropped 

   #

   # this list can be populated from loggers and parsers, outputs from a siems details, or manually created




   do gobgp global rib add $p/32 community 1:999 ; 


done


We are sending bgp-community 1:999, which the import policy uses to set its local_pref and next-hop to the discard.





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

         o

      /      \