Path Monitoring in Palo Alto Networks Firewalls

Overview

Path Monitoring is a feature in Palo Alto Networks firewalls that enables the device to verify the reachability of specified IP addresses by sending ICMP pings. If the monitored destinations become unreachable based on defined criteria, the firewall can take corrective actions such as removing static routes or triggering High Availability (HA) failover.

Usage with Static Routes

When configured with static routes, Path Monitoring allows the firewall to monitor the availability of the next-hop path. If the monitored destination becomes unreachable:

The associated static route is removed from the Routing Information Base (RIB) and Forwarding Information Base (FIB).
A backup route with a higher metric can be installed, ensuring continued connectivity.

This mechanism is particularly useful in scenarios with multiple ISPs, where the firewall can switch to a secondary ISP if the primary path fails.

Path Monitoring with Multiple Destinations

Overview: Path Monitoring in Palo Alto Networks firewalls allows for the monitoring of multiple destination IP addresses to assess the health of a network path. By configuring multiple destinations, the firewall can make more informed decisions about route availability, especially in complex network environments.

Configuration Steps:

Navigate to Network > Virtual Routers and select the appropriate virtual router.
Go to Static Routes and select the static route you wish to monitor.
Enable Path Monitoring for the selected route.
Add up to eight Monitored Destinations:
- Specify a Name for each destination.
- Enter the Destination IP address to monitor.
- Select the appropriate Source IP for the ICMP pings.
- Set the Ping Interval and Ping Count as needed.
Define the Failure Condition:
- Any: The route is considered down if any one of the monitored destinations is unreachable.
- All: The route is considered down only if all monitored destinations are unreachable.
Optionally, set the Preemptive Hold Time to delay reinstating the route after recovery.
Commit the configuration changes.

Best Practices:

Choose reliable and geographically diverse IP addresses for monitoring to reduce false positives.
Use the All failure condition to prevent unnecessary route removal due to transient issues affecting a single destination.
Regularly review and update monitored destinations to ensure their continued reliability.

Additional Resources:

Path Monitoring Timers and Active/Active HA Considerations

Path Monitoring Timers

Path Monitoring utilizes ICMP pings to assess the reachability of specified destinations. The behavior of Path Monitoring is governed by the following timers:

Ping Interval: Determines how frequently ICMP pings are sent to the monitored destination. Configurable between 1 to 60 seconds; default is 3 seconds.
Ping Count: Specifies the number of consecutive failed pings before considering the path as down. Configurable between 3 to 10; default is 5.
Preemptive Hold Time: Defines the duration (in minutes) the firewall waits after a previously downed path becomes reachable before reinstating the associated static route. Configurable between 0 to 1,440 minutes; default is 2 minutes.

For instance, with default settings, if five consecutive pings (sent every 3 seconds) fail, the path is deemed down after 15 seconds. Once the path is reachable again, the firewall waits for 2 minutes before re-adding the static route.

Path Monitoring in Active/Active HA Configurations

In Active/Active HA setups, both firewalls actively process traffic and can independently perform Path Monitoring. Key considerations include:

Independent Monitoring: Each firewall must have Path Monitoring configured separately, as HA settings under the Device tab are not synchronized automatically.
Failure Detection: If a monitored path fails on one firewall, it can trigger a failover or route removal based on the configuration, without affecting the peer firewall.
Consistency: Ensure that both firewalls monitor the same critical paths to maintain consistent failover behavior.

Proper configuration ensures that each firewall can make informed decisions about path availability, enhancing the resilience of the Active/Active HA deployment.

Additional Resources

Application in High Availability (HA) Failover

In HA configurations, Path Monitoring can be used to monitor critical network paths. If the active firewall detects that a monitored path is down:

It can trigger a failover, promoting the passive firewall to active status.
This ensures minimal disruption in network services.

It's important to configure Path Monitoring carefully to avoid unnecessary failovers due to transient network issues.

Considerations and Caveats for HA

Passive Firewall Limitations: In Active/Passive HA setups, the passive firewall does not send ICMP pings. Therefore, Path Monitoring is only active on the primary firewall.
Preemptive Behavior: If preemption is enabled, the original active firewall can resume its role once the monitored path is restored and stable, based on the configured hold time.
Monitoring Reliable Destinations: Ensure that the IP addresses used for monitoring are stable and unlikely to be affected by routine maintenance or transient issues.

Maintaining VPN Tunnel Stability

For IPSec VPN tunnels, Path Monitoring (often referred to as Tunnel Monitoring) helps maintain tunnel stability by:

Sending periodic pings to a remote IP address through the tunnel.
Keeping the tunnel active even during periods of low or no traffic.
Detecting tunnel failures promptly, allowing for quicker recovery or failover to backup tunnels.

Proper configuration of Tunnel Monitoring ensures consistent VPN connectivity and reduces the risk of unexpected downtime.