Dynamic Routing and Administrative Distance in Palo Alto Networks Firewalls

Overview

Palo Alto Networks firewalls support various dynamic routing protocols to facilitate efficient and scalable network routing. Understanding how these protocols operate and how the firewall selects the best route using administrative distance is crucial for optimal network performance.

Supported Dynamic Routing Protocols

• OSPFv2 and OSPFv3 : Open Shortest Path First protocols for IPv4 and IPv6 networks, respectively.
• BGP : Border Gateway Protocol for routing between autonomous systems.
• RIP : Routing Information Protocol for simpler, smaller networks.

These protocols can be configured using the Advanced Routing Engine introduced in PAN-OS 10.2, which offers an industry-standard configuration methodology and supports features like profile-based filtering and route redistribution.

Administrative Distance

Administrative Distance (AD) is a value that routers use to select the best path when there are multiple routes to the same destination from different routing protocols. The route with the lowest AD is preferred.

Default AD values in Palo Alto Networks firewalls:

• Connected interfaces : 0
• Static routes : 10
• OSPF internal : 30
• OSPF external : 110
• RIP : 120
• eBGP : 20
• iBGP : 200

These values can be adjusted to influence route selection according to network design requirements.

Route Selection Process

When multiple routes to the same destination exist, the firewall selects the best route based on the following criteria:

1. Longest Prefix Match : The route with the most specific match to the destination IP address is preferred.
2. Lowest Administrative Distance : Among routes with the same prefix length, the one with the lowest AD is chosen.
3. Lowest Metric : If multiple routes have the same prefix length and AD, the route with the lowest metric (cost) is selected.

Bidirectional Forwarding Detection (BFD)

BFD is a protocol used to detect faults in the path between two forwarding engines. Palo Alto Networks firewalls support BFD for the following dynamic routing protocols:

• BGP
• OSPF
• RIP

Implementing BFD allows for rapid detection of path failures, enabling faster convergence and improved network stability.

Advanced Routing Engine

The Advanced Routing Engine in PAN-OS 10.2 and later provides enhanced routing capabilities, including:

• Support for logical routers instead of traditional virtual routers.
• Profile-based filtering lists and conditional route maps.
• Improved route redistribution across multiple protocols.

This engine simplifies routing configurations and aligns with industry-standard practices.

References

• Advanced Routing - Palo Alto Networks
• BFD for Dynamic Routing Protocols - Palo Alto Networks
• Static Route Overview - Palo Alto Networks