|

Static Routing with Path monitoring | Palo Alto Next Generation Firewall Routing

ByReadTech

Interview Questions & Answer:

  • How to configure static routing on Palo Alto Firewall?
  • What Path monitoring in Palo Alto?
  • What is the metric of the value of the static route in Palo Alto?
  • From which option configure static route in palo alto?
  • Which routing protocol support in Palo Alto?

In the last few sections, we already discussed basic beginner configurations of the Palo Alto firewall, so in today’s session we will discuss how to configure Static Routing on Palo Alto and the topics below.

  • Static Routing in Palo Alto Firewall.
  • Static route with path monitoring (IP SLA).
  • Two ISP Link redundancy.

Below is the topology we have the LAN Cisco switch, Palo Alto firewall & Cisco routers on the WAN side, as both sides directly connect subnet IP is reachable to the firewall but the loopback on ISP-1 & ISP-2 is indirectly connected & not reachable.

Our target is the connectivity between PC-1/2 and the Loopback of ISP-1/2 & make it pingable through static routing.

First, I will create two Zones & one open-ended policy (Allow all traffic) in Palo Alto then create a static route.

Note:

 the Switch configuration is Default VLAN-1 only assigns IP to the PC.

Let’s start!!

Step-1: Zone Creations

Create Zones name LAN & add port eth1/1 of the palo alto firewall, create 2nd zone name WAN & add the two mentioned ports.

Below are step-by-step screenshots for reference.

Above same steps for the 2nd Zone WAN as well.

Below two Zone have been created.

 Step-2: Create a Policy

As we know that by default traffic on the Palo Alto firewall is not allowed between different Zone, for this we need to configure one policy & allow Inter-zone traffic.

Now Create a Policy name LAN-To-WAN.

Step-3: Bind interface with Zone & Policy

Now add the interface in Zone & assign policy & default virtual router.

The below  screenshot only for one LAN side interface Eth1/1 is part of LAN Zone & same process for ports Eth1/2 & 1/3.

From the Network tab click on interfaces.

 Bind Virtual router & Zone.

Assign IP Address to the interface.

As by default ping is not allowed in on any port of the firewall, we need to create one management profile to allow PING, HTTP, SSH, etc.

All three interfaces one in LAN & two in WAN Zone have been created as below.

Now commit configuration from the right top corner & wait a few minutes to complete 100%

After commit all interfaces are Green.

Now let’s try ping from LAN PC to Firewall Port IP & ISP Router Interface IP address.

From PC-1 to Firewall LAN port is pingable.

From PC-1 ISP-1 interface IP address not pingable because from ISP-1 toward LAN Subnet no back route for this configure a static route on Router ISP-1 toward LAN.

Configure Static back route on ISP-1 Router

Now its pingable.

Now let’s try to ping from LAN PC-1 to Loopback of ISP-1, but it will not pingable.

So, our main target of today’s discussion is the need to configure a static route on the Palo Alto firewall toward the loopback of ISP-1

Static Routing on Palo Alto Firewall:

Commit the configurations.

Now start pinging

The same steps for the ISP-2 site configure static on Palo Alto & ISP-2 Router.

Static Route with Path Monitoring:

Now let’s move onward to discuss one other interesting topic Static Route with Path monitoring in Cisco same topic called IP SLA.

Sometimes our ISP uplinks physically up but the internet not working to avoid this issue path monitoring & IP SLA concepts were introduced.

In this case, ISP-1 will be our primary path toward the internet & if ISP-1 links down then traffic will shift toward Back Path ISP-2.

first will update our static route configuration on Palo Alto as before we configured it for loopback only but now for the internet see the below screenshot & also enable the Path monitoring section, for the primary path default metric value 10 & for the backup path metric value 20 as the lower metric value will be preferred.

Go-to virtual router then checked on the path monitoring option and add.

Here put destination address is the loopback of ISP-1 means if this loopback is down or unreachable then shift traffic & remember in a practical environment ISP will give you one testing IP for checking the Path instead of loopback in our case.

Backup path only Metric value changed to 20 other almost same.

Connect ISP 1 & 2 Router with the Internet through Cloud Network & interface toward cloud will get IP address through DHCP.

Run # ip address dhcp — command under interface toward cloud Network. Same For ISP-2.

Now try to ping and trace the internet Google DNS 8.8.8.8 from LAN PC-1.

Pingable:

Trace toward ISP-1 Path

Now let’s down, loopback of ISP-1 then traffic will shift to Backup Path ISP-2.

The monitoring we can configure on the physical interface as well. Sometimes loopback interfaces have issues then put monitor IP of the physical interface IP address.


Leave a Reply

Your email address will not be published. Required fields are marked *