Static Routing with Path monitoring | Palo Alto Next Generation Firewall Routing
In the last few sections,
we already discussed basic beginner configurations of the Palo Alto firewall,
so in today’s session we will discuss how to configure Static Routing on Palo
Alto and the topics below.
- · Static
Routing in Palo Alto Firewall - ·
Static
route with path monitoring (IP SLA) - · Two
ISP Link redundancy
Below is the
topology we have the LAN Cisco switch, Palo Alto firewall & Cisco routers
on the WAN side, as both sides directly connect subnet IP is reachable to the firewall
but the loopback on ISP-1 & ISP-2 is indirectly connected & not
reachable.
Our target is the
connectivity between PC-1/2 and the Loopback of ISP-1/2 & make it pingable through
static routing.
First, I will
create two Zones & one open-ended policy (Allow all traffic) in Palo Alto
then create a static route.
Note that the Switch
configuration is Default VLAN-1 only assigns IP to the PC.
Let’s
start!!
Step-1: Zone
Creations
Create Zones name
LAN & add port eth1/1 of the palo alto firewall, create 2nd zone
name WAN & add the two mentioned ports.
Below are step-by-step
screenshots for reference.
Above same steps
for the 2nd Zone WAN as well.
Below two Zone
have been created.
Step-2:
Create a Policy
As we know that
by default traffic on the Palo Alto firewall is not allowed between different Zone,
for this we need to configure one policy & allow Inter-zone traffic.
Now Create a Policy
name LAN-To-WAN
Step-3: Bind
interface with Zone & Policy
Now add the interface
in Zone & assign policy & default virtual router.
The below
screenshot only for one LAN side interface Eth1/1 is part of LAN Zone &
same process for ports Eth1/2 & 1/3
From the Network
tab click on interfaces
Bind Virtual
router & Zone.
Assign IP Address
to the interface
As by default
ping is not allowed in on any port of the firewall, we need to create one management
profile to allow PING, HTTP, ssh, etc.
All three
interfaces one in LAN & two in WAN Zone have been created as below
Now commit configuration
from the right top corner & wait a few minutes to complete 100%
After commit all interfaces
are Green
Now let’s try
ping from LAN PC to Firewall Port IP & ISP Router Interface IP address
From PC-1 to
Firewall LAN port is pingable
From PC-1 ISP-1
interface IP address not pingable because from ISP-1 toward LAN Subnet no back
route for this configure a static route on Router ISP-1 toward LAN
Configure Static
back route on ISP-1 Router
Now its pingable
Now let’s try to
ping from LAN PC-1 to Loopback of ISP-1, but it will not pingable
So, our main target of today’s discussion is the need to
configure a static route on the Palo Alto firewall toward the loopback of ISP-1
Static
Routing on Palo Alto Firewall
Commit the
configurations
Now start pinging
The same steps
for the ISP-2 site configure static on Palo Alto & ISP-2 Router
Static Route
with Path Monitoring:
Now let’s move
onward to discuss one other interesting topic Static Route with Path
monitoring in Cisco same topic called IP SLA.
Sometimes our ISP
uplinks physically up but the internet not working to avoid this issue path
monitoring & IP SLA concepts were introduced.
In this case,
ISP-1 will be our primary path toward the internet & if ISP-1 links down
then traffic will shift toward Back Path ISP-2.
first will update our static route configuration on
Palo Alto as before we configured it for loopback only but now for the internet
see the below screenshot & also enable the Path monitoring section, for the
primary path default metric value 10 & for the backup path metric value 20
as the lower metric value will be preferred.
Go-to virtual
router then checked on the path monitoring option and add
Here put
destination address is the loopback of ISP-1 means if this loopback is down or
unreachable then shift traffic & remember in a practical environment
ISP will give you one testing IP for checking the Path instead of loopback in
our case.
Backup path only
Metric value changed to 20 other almost same
Connect ISP 1
& 2 Router with the Internet through Cloud Network & interface toward
cloud will get IP address through DHCP
Run # ip address dhcp ——command
under interface toward cloud Network. Same For ISP-2
Now try to ping
and trace the internet Google DNS 8.8.8.8 from LAN PC-1.
Pingable:
Trace toward
ISP-1 Path
Now let’s down
loopback of ISP-1 then traffic will shift to Backup Path ISP-2
The monitoring we
can configure on the physical interface as well. Sometimes loopback interfaces
have issues then put monitor IP of the physical interface IP address.
Interview
Questions:
- ·
How
to configure static routing on Palo Alto Firewall? - ·
What
Path monitoring in Palo Alto. - ·
What
is the metric of the value of the static route in Palo Alto? - ·
From
which option configure static route in palo alto. - ·
Which
routing protocol support in Palo Alto.