Path Monitoring in Palo Alto Networks Firewalls
Overview
Path Monitoring is a feature on Palo Alto Networks firewalls designed to verify the reachability and health of network paths. It achieves this by sending regular ICMP pings to one or more specified destination IP addresses. Based on the success or failure of these probes according to configured thresholds, the firewall can take automated actions to maintain network connectivity.
The primary applications are enhancing the reliability of
Static Routes
and triggering
High Availability (HA) failover
based on external path conditions rather than just device or link status.
Usage with Static Routes
Network > Virtual Routers > [VR Name] > Static Routes > [Route Name] > Path Monitoring
When Path Monitoring is enabled for a static route, the firewall monitors the reachability of configured destinations relevant to that route's path (often the next-hop gateway itself, or reliable IPs beyond it).
If the monitored destination(s) become unreachable based on the failure criteria:
-
The monitored static route is dynamically
removed
from the firewall's Routing Information Base (RIB) and Forwarding Information Base (FIB).
-
This removal allows a
backup static route
(pointing to an alternate path/ISP) with a higher Administrative Distance (AD) or metric, if configured, to become active in the RIB/FIB.
-
This provides automatic failover for outbound traffic relying on static routing, commonly used in multi-ISP scenarios.
Path Monitoring with Multiple Destinations
You can configure a Path Monitoring profile (associated with a static route or HA) to monitor up to eight destination IP addresses simultaneously. This enhances reliability compared to monitoring a single IP.
Configuration Steps:
(As described previously, configured under Static Route or HA Monitoring settings)
-
Enable Path Monitoring.
-
Add Monitored Destinations (Name, Destination IP, Source IP, Ping Interval, Ping Count).
-
Define the
Failure Condition
:
-
Any
: The path is considered down if
at least one
monitored destination becomes unreachable. This is more sensitive to failure but could trigger on isolated issues.
-
All
: The path is considered down only if
all
monitored destinations become unreachable simultaneously. This provides more redundancy against single target failures but requires complete path failure to trigger.
-
Configure optional Preemptive Hold Time.
Best Practices:
-
Choose reliable targets (e.g., stable public DNS servers like 8.8.8.8, 1.1.1.1, provider gateways) that are independent of each other.
-
Using the
All
failure condition is generally recommended for path redundancy checks to avoid failover due to a single monitored target having issues. Use
Any
if reachability to *any* specific critical resource defines path health.
-
Ensure the Source IP used for pinging is appropriate for the path being monitored.
Path Monitoring Timers and Failure Detection
Path Monitoring Timers
-
Ping Interval:
Frequency of ICMP pings (Default: 3 seconds).
-
Ping Count:
Number of consecutive failed pings to declare a path down (Default: 5).
-
Failure Detection Time (Default):
Interval * Count = 3s * 5 =
15 seconds
.
-
Preemptive Hold Time:
Delay (in minutes) before reinstating a recovered route (Default: 2 minutes). This prevents route flapping if the path is unstable. A value of 0 reinstates immediately.
Path Recovery
Once a path marked as down starts successfully responding to pings again (typically after one successful ping), the firewall considers it potentially recovered. However, if a `Preemptive Hold Time` is configured, the firewall waits for this duration with the path consistently up before reinstating the original route or reversing the HA failover trigger condition. This ensures the path is stable before switching back.
Application in High Availability (HA) Failover
Device > High Availability > Link and Path Monitoring > Path Monitoring
Path Monitoring Groups can be configured specifically for HA purposes. If the path(s) monitored by a group fail on the
Active
firewall, it can trigger an HA failover event, causing the Passive firewall to take over the Active role.
-
This allows failover based on the health of critical external network paths (e.g., ISP connectivity, reachability to core services) rather than just the physical status of firewall interfaces or the device itself.
-
You configure Path Monitoring Groups under HA settings and define which paths are critical.
-
The failover happens based on the configured Failure Condition (Any/All) for the group.
Link Monitoring vs. Path Monitoring for HA:
-
Link Monitoring:
Monitors the physical state (Up/Down) of specified firewall interfaces. Failover occurs if a monitored interface goes down.
-
Path Monitoring:
Monitors the reachability of IP addresses *through* interfaces using ICMP pings. Failover occurs if the path becomes unreachable, even if the physical interface remains up.
Both can be used together to provide comprehensive HA failover conditions.
HA Considerations and Caveats
-
Active/Passive Monitoring:
In standard Active/Passive HA, only the
Active
firewall performs Path Monitoring probes. The Passive firewall does not send pings.
-
Active/Active Monitoring:
In Active/Active HA, both firewalls
can and should
independently perform Path Monitoring for the paths relevant to the traffic they handle. Configuration needs to be applied consistently on both devices.
-
Preemption and Hold Time:
If HA Preemption is enabled, the `Preemptive Hold Time` configured within the HA Path Monitoring settings dictates how long the path must be stable before the original (higher priority) firewall preempts and becomes Active again.
-
Reliable Destinations:
Choosing stable, reliable IP addresses for monitoring is critical to avoid false positive failovers caused by temporary issues with the monitored targets themselves.
Relation to VPN Tunnel Monitoring
Network > IPSec Tunnels > [Tunnel Name] > Tunnel Monitor
While similar in concept (using probes to check reachability),
Tunnel Monitoring
is configured specifically within the IPSec tunnel settings. Its primary goals are:
-
To verify connectivity *through* the established VPN tunnel by pinging a destination reachable only via the tunnel (typically the remote peer's internal interface or a server behind it).
-
To keep the tunnel's Security Associations (SAs) active during periods of low traffic by generating keepalive probes.
-
To optionally trigger failover to a backup VPN tunnel if the primary tunnel monitor fails.
Tunnel Monitoring is focused on the VPN path itself, whereas Path Monitoring (for Static Routes or HA) typically monitors broader network path health, often outside of specific tunnels.