Route management is an important configuration task for network administrators who manage firewalls.
If you are using the PaloAlto Firewall, this guide explains how to add static routes from the PAN-OS command line interface and the PaloAlto Firewall console.
1. CLI – show current routes
Before adding a route, display all current routes in the PAN-OS CLI, as shown below, using the show route command.
admin@PA-VM> show route type static
Flags : A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip,
O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1,
O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
interface age metric destination flags nexthop next-AS
0.0.0.0/0 192.168.0.1 10 A S ethernet1/1
total routes shown : 1
As you can see from the result above, it currently has only one default route that directs all traffic to the next hop 192.168.0.1.
In the following examples, we add another default route and two other application-specific routes.
For a related topic, policy management via the CLI, see : 15 Examples of security policy and NAT management in the Palo Alto CLI
2. CLI – Add static default route
To add a static default route, first enter configuration mode, as shown below.
admin@PA-VM> configuration
enter configuration mode
admin@PA-VM#
In configuration mode, run the set network virtual-router command, as shown below, to add a static default route.
set network virtual router default routing
ip static router default
interface ethernet1/1
destination 0.0.0.0/0
nexthop ip address 192.168.102.1
- set network virtual router default ip static route – this indicates that you are adding a static route
- Default – this keyword is important and indicates that you are adding a default route.
- interface ethernet1/1 – indicates that a static route has been added on interface ethernet1/1.
- destination 0.0.0.0/0 nexthop ip address 192.168.102.1 – contains the details of the static route added with the destination address and the nexthop ip address.
If you run the show route type in Static command after you run the above command, you still won’t see the newly added route until it is confirmed. However, if you go to the console, you will see a route that is not yet defined.
3. CLI – add additional application-specific static routes
Let’s see how you want to add two different routes, one to the application subnet, called ToAppSubnet, and one to the database subnet, called ToDBSubnet.
The following command adds a static route specific to the ToAppSubnet application.
set network virtual router default routing
ip static router interface ToAppSubnet
ethernet1/2
destination 192.168.0.0/24
nexthop ip address 192.168.101.1
- set network virtual router default ip static route – this indicates that you are adding a static route
- ToAppSubnet is the custom name you specify for this particular route.
- interface ethernet1/2 – this means that you add a static route on interface ethernet1/2.
- destination 192.168.0.0/24 nexthop ip address 192.168.101.1 – contains the details of the static route that will be added with the destination address and the nexthop ip address.
As with the above command, below is added a static route specific to the ToDBSubnet application.
set network virtual router default routing
ip static router interface ToDBSubnet
ethernet1/2
destination 192.167.0.0/24
nexthop ip address 192.168.101.1
4. CLI – Registering static routes
After adding the static route, remember to run the commit command as shown below to save the changes.
# commit
commit Command 2 is in progress. Use Ctrl+C to return to the
command line …… Implementation for 100% has been successfully completed.
Message: You may receive a warning like the following.
Static route Default next hop IP 192.168.102.1 not in subnet of outgoing interface ethernet1/1
(Module: routed)
Static route ToAppSubnet next hop IP 192.168.101.1 not in subnet of outgoing interface ethernet1/2
(Module: routed)
Static route ToDBSubnet next hop IP 192.168.101.1 not in subnet of outgoing interface ethernet1/2
(Module: routed)
Warning: No valid threat Package Contents
Warning: There is no valid antivirus content package
(module: device).
5. CLI – Display of routes after a transmission
Now if you run the show routing command, you will see the 3 new routes we just added, as shown below.
admin@PA-VM> show route type static
Flags : A:active, ?:loose, C:connect, H:host, S:static, ~:internal,
R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area,
O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
target non-extop metric interface age flags next-AS
0.0.0.0/0 192.168.0.1 10 S Ethernet1/1
0.0.0.0/0 192.168.102.1 10 A S Ethernet1/1
192.167.0.0/24 192.168.101.1 10 A S Ethernet1/2
192.168.0.0/24 192.168.101.1 10 A S Ethernet1/2
show common routes : 4
6. Console – view current routes
To view the current routes from the console, click the Network tab at the top, click Virtual Routes in the sidebar, and click the default value in the Name column, as shown below.
The default router opens a pop-up window. In this window, click on Static Routes in the sidebar, as shown below. It currently has no custom static routes, as shown below.
To update your software, see: 5 steps to update PaloAlto PAN-OS firewall software via CLI or console
7. Console – add additional application-specific static routes
To add application-specific static routes : Network tab – Virtual routes – Default – Static routes – IPv4 tab – Click the Add button at the bottom of the empty table (see the figure in the previous example).
The Static Route pop-up window opens as shown below. Enter the name (ToAppSubnet), destination, interface (Select Ethernet1/2), next step (Select IP address from drop-down list) and IP address as shown below.
Follow the same steps as above, adding a default route and a static ToDBSubnet route.
8. Console – display and transfer of new routes
After adding the new static routes, go to the Network – View Routers tab – you will see Static Route in the Configuration column for the default router: 3
Click the default value under the Name column – Static Routes on the side tab – Click the IPv4 tab. This will show the three new static routes we just added, as shown below. Once you’ve checked the new routes and everything looks good, make sure you’ve confirmed the changes from the console.
If you liked this article, you may also like…
frequently asked questions
How do I add a static route to the Palo Alto CLI?
2021/03 Paloalto-Panos-Stati…
Which command adds a static route?
10/24/2018 How to add a static course…..
How do I add a static route to the routing table?
heckie
Related Tags:
palo alto configure zone clipalo alto routing between interfacespalo alto show routing route destinationpalo alto command line show ip addresspalo alto set timezone clipalo alto show ospf neighbor cli,People also search for,Feedback,Privacy settings,How Search works,palo alto configure zone cli,palo alto routing between interfaces,palo alto show routing route destination,palo alto command line show ip address,palo alto set timezone cli,palo alto show ospf neighbor cli,palo alto show service route cli,static route command
