|

Static Routing with Path monitoring | Palo Alto Next Generation Firewall Routing

 In the last few sections,
we already discussed basic beginner configurations of the Palo Alto firewall,
so in today’s session we will discuss how to configure Static Routing on Palo
Alto and the topics below.

 

 

  • ·       Static
    Routing in Palo Alto Firewall
  • ·      
    Static
    route with path monitoring (IP SLA)
  • ·       Two
    ISP Link redundancy

Below is the
topology we have the LAN Cisco switch, Palo Alto firewall & Cisco routers
on the WAN side, as both sides directly connect subnet IP is reachable to the firewall
but the loopback on ISP-1 & ISP-2 is indirectly connected & not
reachable.

 


Our target is the
connectivity between PC-1/2 and the Loopback of ISP-1/2 & make it pingable through
static routing.

 

First, I will
create two Zones & one open-ended policy (Allow all traffic) in Palo Alto
then create a static route.



Note that the Switch
configuration is Default VLAN-1 only assigns IP to the PC.

 

Let’s
start!!


Step-1: Zone
Creations

Create Zones name
LAN & add port eth1/1 of the palo alto firewall, create 2nd zone
name WAN & add the two mentioned ports.

 

Below are step-by-step
screenshots for reference.


Above same steps
for the 2nd Zone WAN as well.


Below two Zone
have been created.

Step-2:
Create a Policy


As we know that
by default traffic on the Palo Alto firewall is not allowed between different Zone,
for this we need to configure one policy & allow Inter-zone traffic.

 

Now Create a Policy
name LAN-To-WAN







Step-3: Bind
interface with Zone & Policy

Now add the interface
in Zone & assign policy & default virtual router.

 

The below
screenshot only for one LAN side interface Eth1/1 is part of LAN Zone &
same process for ports Eth1/2 & 1/3



From the Network
tab click on interfaces



 


Bind Virtual
router & Zone.



Assign IP Address
to the interface


 

As by default
ping is not allowed in on any port of the firewall, we need to create one management
profile
to allow PING, HTTP, ssh, etc.





All three
interfaces one in LAN & two in WAN Zone have been created as below



Now commit configuration
from the right top corner & wait a few minutes to complete 100%





After commit all interfaces
are Green



Now let’s try
ping from LAN PC to Firewall Port IP & ISP Router Interface IP address

 

From PC-1 to
Firewall LAN port is pingable 



 


From PC-1 ISP-1
interface IP address not pingable because from ISP-1 toward LAN Subnet no back
route for this configure a static route on Router ISP-1 toward LAN




Configure Static
back route on ISP-1 Router




Now its pingable



Now let’s try to
ping from LAN PC-1 to Loopback of ISP-1, but it will not pingable




So, our main target of today’s discussion is the need to
configure a static route on the Palo Alto firewall toward the loopback of ISP-1



Static
Routing on Palo Alto Firewall






Commit the
configurations

 

Now start pinging



 


The same steps
for the ISP-2 site configure static on Palo Alto & ISP-2 Router



Static Route
with Path Monitoring:

Now let’s move
onward to discuss one other interesting topic Static Route with Path
monitoring
in Cisco same topic called IP SLA.



Sometimes our ISP
uplinks physically up but the internet not working to avoid this issue path
monitoring & IP SLA concepts were introduced.



In this case,
ISP-1 will be our primary path toward the internet & if ISP-1 links down
then traffic will shift toward Back Path ISP-2.



first will update our static route configuration on
Palo Alto as before we configured it for loopback only but now for the internet
see the below screenshot & also enable the Path monitoring section, for the
primary path default metric value 10 & for the backup path metric value 20
as the lower metric value will be preferred.



Go-to virtual
router then checked on the path monitoring option and add




Here put
destination address is the loopback of ISP-1 means if this loopback is down or
unreachable then shift traffic & remember in a practical environment
ISP will give you one testing IP for checking the Path instead of loopback in
our case.




Backup path only
Metric value changed to 20 other almost same




Connect ISP 1
& 2 Router with the Internet through Cloud Network & interface toward
cloud will get IP address through DHCP




 Run # ip address dhcp ——command
under interface toward cloud Network. Same For ISP-2






Now try to ping
and trace
the internet Google DNS 8.8.8.8 from LAN PC-1.

 

Pingable:




Trace toward
ISP-1 Path




 


Now let’s down
loopback of ISP-1 then traffic will shift to Backup Path ISP-2




The monitoring we
can configure on the physical interface as well. Sometimes loopback interfaces
have issues then put monitor IP of the physical interface IP address.

 



Interview
Questions:

 

  • ·      
    How
    to configure static routing on Palo Alto Firewall?
  • ·      
    What
    Path monitoring in Palo Alto.
  • ·      
    What
    is the metric of the value of the static route in Palo Alto?
  • ·      
    From
    which option configure static route in palo alto.
  • ·      
    Which
    routing protocol support in Palo Alto.

 

Leave a Reply

Your email address will not be published. Required fields are marked *