Static Routing with Path monitoring | Palo Alto Next Generation Firewall Routing

ReadTech July 28, 2023

 In the last few sections, we already discussed basic beginner configurations of the Palo Alto firewall, so in today’s session we will discuss how to configure Static Routing on Palo Alto and the topics below.

 

 

  • ·       Static Routing in Palo Alto Firewall
  • ·       Static route with path monitoring (IP SLA)
  • ·       Two ISP Link redundancy

Below is the topology we have the LAN Cisco switch, Palo Alto firewall & Cisco routers on the WAN side, as both sides directly connect subnet IP is reachable to the firewall but the loopback on ISP-1 & ISP-2 is indirectly connected & not reachable.

 




Our target is the connectivity between PC-1/2 and the Loopback of ISP-1/2 & make it pingable through static routing.

 

First, I will create two Zones & one open-ended policy (Allow all traffic) in Palo Alto then create a static route.



Note that the Switch configuration is Default VLAN-1 only assigns IP to the PC.

 

Let’s start!!


Step-1: Zone Creations

Create Zones name LAN & add port eth1/1 of the palo alto firewall, create 2nd zone name WAN & add the two mentioned ports.

 

Below are step-by-step screenshots for reference.






Above same steps for the 2nd Zone WAN as well.


Below two Zone have been created.





Step-2: Create a Policy


As we know that by default traffic on the Palo Alto firewall is not allowed between different Zone, for this we need to configure one policy & allow Inter-zone traffic.

 

Now Create a Policy name LAN-To-WAN



















Step-3: Bind interface with Zone & Policy

Now add the interface in Zone & assign policy & default virtual router.

 

The below screenshot only for one LAN side interface Eth1/1 is part of LAN Zone & same process for ports Eth1/2 & 1/3



From the Network tab click on interfaces




 


Bind Virtual router & Zone.





Assign IP Address to the interface



 

As by default ping is not allowed in on any port of the firewall, we need to create one management profile to allow PING, HTTP, ssh, etc.









All three interfaces one in LAN & two in WAN Zone have been created as below





Now commit configuration from the right top corner & wait a few minutes to complete 100%









After commit all interfaces are Green





Now let’s try ping from LAN PC to Firewall Port IP & ISP Router Interface IP address

 

From PC-1 to Firewall LAN port is pingable 




 


From PC-1 ISP-1 interface IP address not pingable because from ISP-1 toward LAN Subnet no back route for this configure a static route on Router ISP-1 toward LAN






Configure Static back route on ISP-1 Router






Now its pingable





Now let’s try to ping from LAN PC-1 to Loopback of ISP-1, but it will not pingable






So, our main target of today's discussion is the need to configure a static route on the Palo Alto firewall toward the loopback of ISP-1



Static Routing on Palo Alto Firewall














Commit the configurations

 

Now start pinging




 


The same steps for the ISP-2 site configure static on Palo Alto & ISP-2 Router



Static Route with Path Monitoring:

Now let’s move onward to discuss one other interesting topic Static Route with Path monitoring in Cisco same topic called IP SLA.



Sometimes our ISP uplinks physically up but the internet not working to avoid this issue path monitoring & IP SLA concepts were introduced.



In this case, ISP-1 will be our primary path toward the internet & if ISP-1 links down then traffic will shift toward Back Path ISP-2.



first will update our static route configuration on Palo Alto as before we configured it for loopback only but now for the internet see the below screenshot & also enable the Path monitoring section, for the primary path default metric value 10 & for the backup path metric value 20 as the lower metric value will be preferred.



Go-to virtual router then checked on the path monitoring option and add






Here put destination address is the loopback of ISP-1 means if this loopback is down or unreachable then shift traffic & remember in a practical environment ISP will give you one testing IP for checking the Path instead of loopback in our case.






Backup path only Metric value changed to 20 other almost same






Connect ISP 1 & 2 Router with the Internet through Cloud Network & interface toward cloud will get IP address through DHCP






 Run # ip address dhcp ------command under interface toward cloud Network. Same For ISP-2








Now try to ping and trace the internet Google DNS 8.8.8.8 from LAN PC-1.

 

Pingable:






Trace toward ISP-1 Path





 


Now let’s down loopback of ISP-1 then traffic will shift to Backup Path ISP-2






The monitoring we can configure on the physical interface as well. Sometimes loopback interfaces have issues then put monitor IP of the physical interface IP address.

 



Interview Questions:

 

  • ·       How to configure static routing on Palo Alto Firewall?
  • ·       What Path monitoring in Palo Alto.
  • ·       What is the metric of the value of the static route in Palo Alto?
  • ·       From which option configure static route in palo alto.
  • ·       Which routing protocol support in Palo Alto.


 

Tags:

Post a Comment

0 Comments