04-04-2025 02:35 PM
Hello,
Im testing out Palo Alto SD-WAN with Panorama and am using BGP with Auto-VPN.
Because Panorama is pushing the BGP configuration in the background autonomously, im not able to see that config in Panorama, but it reaches the firewall and all is working.
However, some of the sites, I don't want to redistribute some subnets (guest networks), or may want to redistribute only a summary. It seems populating the 'Prefixes to redistribute' on the SD-WAN device, is in addition to all connected routes.
Is it possible to prevent or filter these? This seems like a really simple control that should be easy to find.
Also, because the SD-WAN plugin puts the export BGP policies right at the top, adding a BGP export rule to deny the routes falls after the auto-generated ones on both the Branches and the Hubs, so I can't control it this way.
Its not feasible to put the interfaces into a separate VR on the Branch because they need to use the internet links that are in the SD-WAN enabled VR and it seems messy doing that and using next-vr routes to still make that work. I also want these interfaces to be able to use DIA via SD-WAN, just not be advertised to the hubs (they are guest networks).
Anything that I can do?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
