[PaloAlto] How to configure a static route

Firewall (UTM)

Work environment

  • PA-200
    • Version 8.1.19

About Virtual Routers

A virtual router is a logical router that resides inside Palo Alto.

By default there is a virtual router named default. You can create multiple virtual routers.

It is necessary to configure the Palo Alto L3 interface to be associated with the virtual router, but by default there is no interface that belongs to the virtual router default.

The routing configuration is performed for each virtual router.

Configure a static route

Display the virtual router setting screen

Click default on the Network > Virtual Routers screen.

Associate an interface with a virtual router

The virtual router setting screen is displayed. First, set the interface to be associated with the virtual router.

Click Add on the General tab screen of the Router Settings screen and select an interface from the list that appears.

Confirm that the interface has been added.

Add static route

Click Add on the Static Routes screen.

The following static route setting screen is displayed.

  • Name
    • Enter the Distinguished Name of the Static Route
  • Destination
    • Enter the destination network
  • Next Hop
    • Set Type to IP Address and enter the Next Hop address
  • Other items
    • Change as needed

Click OK when you have finished setting each item.

Confirm that the static route has been added on the Static Routes screen and click OK.

This completes the static route setting.

Configure static routes with CLI

If you set according to the setting example in GUI described above, the CLI config will be as follows.

set network virtual-router default routing-table ip static-route Default-Route path-monitor enable no
set network virtual-router default routing-table ip static-route Default-Route path-monitor failure-condition any
set network virtual-router default routing-table ip static-route Default-Route path-monitor hold-time 2
set network virtual-router default routing-table ip static-route Default-Route nexthop ip-address 10.1.0.254
set network virtual-router default routing-table ip static-route Default-Route metric 10
set network virtual-router default routing-table ip static-route Default-Route destination 0.0.0.0/0
set network virtual-router default routing-table ip static-route Default-Route route-table unicast 
set network virtual-router default interface ethernet1/1

Interface settings

set network virtual-router <virtual-router name> interface <interface list>

#e.g.1
set network virtual-router default interface ethernet1/1

#e.g.2
set network virtual-router default interface [ ethernet1/1 ethernet1/2 ]

Static route configuration

Destination

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> destination <destination>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route destination 0.0.0.0/0

Interface

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> interface <interface name>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route interface ethernet1/1

Next Hop

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> nexthop ip-address <nexthop ip-address>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route nexthop ip-address 10.1.0.254

Admin Distance

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> admin-dist <10-240>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route admin-dist 10

Metric

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> metric <1-65535>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route metric 10

Route Table

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> route-table <value>

----value choices-----
  both         Install route into both unicast and multicast routing table
  multicast    Install route into multicast routing table, this will create multicast routing table if not exists
  no-install   Do not install route into forwarding table
  unicast      Install route into unicast routing table

#e.g.
set network virtual-router default routing-table ip static-route Default-Route route-table unicast

Path Monitoring

Enabling Path Monitor

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> path-monitor enable

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor enable

Failure Condition

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> path-monitor failure-condition <all | any>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor failure-condition any

Preemptive Hold Time (min)

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> path-monitor hold-time <0-1440>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor hold-time 2

Monitor Destinations

・Enable

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> monitor-destinations <destination name> enable

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor monitor-destinations sample-dest enable

・Source IP

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> monitor-destinations <destination name> source <IP address>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor monitor-destinations sample-dest source 10.1.0.1/24

・Destination IP

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> monitor-destinations <destination name> destination <address-object name>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor monitor-destinations sample-dest destination IP_10.1.0.100_32

・Ping Interval (sec)

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> monitor-destinations <destination name> interval <1-60>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor monitor-destinations sample-dest interval 3

・Ping Count

set network virtual-router <virtual-router name> routing-table ip static-route <Static-Route name> monitor-destinations <destination name> count <3-10>

#e.g.
set network virtual-router default routing-table ip static-route Default-Route path-monitor monitor-destinations sample-dest count 5

Routing table check command

show routing route

admin@PA-200> show routing route

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp,
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast


VIRTUAL ROUTER: default (id 1)
  ==========
destination                                 nexthop                                 metric flags      age   interface          next-AS
0.0.0.0/0                                   10.1.0.254                              10     A S              ethernet1/1
10.1.0.0/24                                 10.1.0.1                                0      A C              ethernet1/1
10.1.0.1/32                                 0.0.0.0                                 0      A H
total routes shown: 3

Palo Alto Configuration Information Summary
HowtoconfigureastaticrouteCompletelyunderstandtheaddressobjectsettingsCompletelyunderstandtheserviceobjectsettingsSimple...
network-knowledge.work
2021.11.13

スポンサーリンク

Comments

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. Please support us by disabling these ads blocker.

Copied title and URL