Static Routing in Palo Alto Firewalls

Overview

Static routes are fundamental to defining how a Palo Alto Networks firewall forwards traffic when dynamic routing is either not required or not feasible. They are manually configured and provide predictable, deterministic path selection for specific destinations.

Use Cases for Static Routing

Directing traffic to a next-hop gateway for external internet access
Routing to internal networks or branch offices over private WAN links
Routing to a different Virtual Router (VR) within the firewall for segmentation or policy enforcement
Fallback routing in conjunction with dynamic routing protocols

Routing to a Next-Hop IP Address

This is the most common static route configuration, used to forward traffic to a specific IP address of a next-hop router:


Network > Virtual Routers > [default] > Static Routes > Add
  - Destination: 0.0.0.0/0
  - Interface: ethernet1/1
  - Next Hop: IP Address (e.g., 192.0.2.1)

Routing to a Next-VR

When using multiple virtual routers (VRs) for segmentation or multi-tenant configurations, static routes can be used to route traffic from one VR to another:


Next Hop Type: Next VR
Next VR: vr2

This configuration forwards traffic to another virtual router on the firewall. A route back must exist on the second VR for return traffic.

Static Route Configuration Components

Destination: The IP prefix for the static route (e.g., 10.1.1.0/24)
Interface: The egress interface (e.g., ethernet1/3)
Next Hop: IP address, Next VR, or None (for directly connected networks)
Metric: Determines preference when multiple static routes exist

Mermaid Flow Diagram

flowchart TD
  A[Incoming Packet] --> B{Destination Match in Routing Table?}
  B -- Yes --> C[Static Route Lookup]
  C --> D{Next Hop Type?}
  D -- IP Address --> E[Forward to Next-Hop Router]
  D -- Next VR --> F[Forward to Next VR Routing Engine]
  D -- None --> G[Directly Connected Network]
  B -- No --> H[Drop or Default Route Evaluation]

Static Routes to Null (Blackhole Routes)

A null route, also known as a blackhole route, is a static route that discards traffic destined for a specific network. This is useful for mitigating unwanted traffic or preventing routing loops.

To configure a null route in Palo Alto Networks firewalls:

Create a dummy tunnel interface (e.g., tunnel.999) without assigning an IP address.
Navigate to Network > Virtual Routers > [your VR] > Static Routes and add a new route:
- Destination: The network you want to blackhole (e.g., 203.0.113.0/24)
- Interface: Select the dummy tunnel interface (e.g., tunnel.999)
- Next Hop: Select "None"

This configuration effectively drops all traffic destined for the specified network.

For more details, refer to the official documentation: Palo Alto Networks Support for Null Routes .

Redistributing Static Routes into Dynamic Routing Protocols

In Palo Alto Networks firewalls, you can redistribute static routes into dynamic routing protocols like OSPF or BGP to ensure that these routes are propagated throughout your network. This is particularly useful when you want static routes to be known by other routers running dynamic protocols.

Steps to Redistribute Static Routes:

Navigate to Network > Virtual Routers and select the appropriate virtual router.
Go to the Redistribution Profile section and click Add to create a new profile.
Assign a Name and set the Priority for the profile.
Under the General tab, select Static as the source type to redistribute.
(Optional) Configure filters based on interface, destination, or next hop as needed.
Click OK to save the profile.
In the dynamic routing protocol configuration (e.g., OSPF), reference the redistribution profile to enable redistribution.

For detailed guidance, refer to the official documentation on Configuring Route Redistribution .

Using Administrative Distance to Configure Static Routes as Fallbacks

Administrative Distance (AD) determines the trustworthiness of a route. Lower AD values are preferred over higher ones. By default, static routes have an AD of 10, OSPF routes have an AD of 110, and BGP routes have an AD of 20 (eBGP) or 200 (iBGP).

To configure a static route as a fallback to a dynamic route:

Navigate to Network > Virtual Routers and select the appropriate virtual router.
Go to the Static Routes section and click Add to create a new static route.
Set the Destination and Next Hop as required.
In the Administrative Distance field, enter a value higher than that of the dynamic route (e.g., 120 for OSPF).
Click OK to save the static route.

With this configuration, the firewall will prefer the dynamic route. If the dynamic route becomes unavailable, the static route will be used as a fallback.

For more information, see the Static Route Overview in the official documentation.

Best Practices for Static Routing

Use Static Routes for Stable Networks: Employ static routing in environments with a simple and unchanging topology. This reduces complexity and administrative overhead.
Configure Default Routes Appropriately: Set up a default route (e.g., 0.0.0.0/0 ) to handle traffic destined for unknown networks. This is especially important for internet-bound traffic.
Leverage Administrative Distance: Adjust the administrative distance to prioritize routes. For instance, assign a higher distance to backup static routes so they're used only when primary routes fail.
Implement Path Monitoring: Use path monitoring to detect route failures. This allows the firewall to remove failed static routes from the routing table, ensuring traffic is rerouted appropriately.
Avoid Overusing Policy-Based Forwarding (PBF): While PBF can direct traffic based on policies, overreliance can complicate troubleshooting. Use PBF judiciously and prefer static routes for straightforward scenarios.
Document All Static Routes: Maintain clear documentation for all static routes, including their purpose and configuration details. This aids in future troubleshooting and network audits.

Static Routing in Palo Alto Networks Firewalls