Palo Alto Networks Advanced Routing Engine: A PCNSE Deep Dive

1. Introduction to the Advanced Routing Engine (ARE)

Palo Alto Networks introduced the Advanced Routing Engine (ARE) in PAN-OS 10.2, marking a significant evolution from the traditional routing capabilities. The ARE is designed to provide a more scalable, high-performance, and flexible routing solution. Crucially, it aligns with industry-standard Command Line Interface (CLI) syntax and configuration methodologies, which simplifies operations for network engineers familiar with other routing platforms and reduces the learning curve. This enhancement allows for the creation of profile-based filtering lists and conditional route maps that are reusable across different logical routers and even virtual systems.

The core change in ARE is the shift from Virtual Routers (VRs) to Logical Routers (LRs) . While conceptually similar in that they both represent a routing domain, LRs within ARE offer enhanced functionalities and a more granular approach to routing configuration.

Figure 1: Conceptual Shift from Legacy to Advanced Routing Engine.

2. Key Advantages of ARE over Legacy Virtual Routers

The Advanced Routing Engine offers several compelling advantages over the legacy virtual router system, making it a superior choice for modern network infrastructures demanding flexibility and rich features.

• Industry-Standard Configuration: ARE adopts a configuration methodology that is widely used in the networking industry, making it more intuitive for engineers experienced with other vendors' routing platforms.
• Enhanced Scalability and Performance: ARE is built to handle more complex routing scenarios and larger routing tables more efficiently.
• Logical Routers: Replacing virtual routers, logical routers provide a more robust and flexible way to manage routing instances. Unlike the legacy engine, ARE does not create a default logical router; administrators must explicitly configure them.
• Reusable Routing Profiles: ARE extensively uses routing profiles for configuring route filters, redistribution, and protocol-specific settings (e.g., BGP, OSPF, RIP). These profiles can be shared among logical routers within the same virtual system or across different virtual systems, promoting consistency and reducing redundant configuration.
• Advanced Filtering Capabilities: ARE supports sophisticated filtering mechanisms, including:
  • Access Lists (ACLs)
  • Prefix Lists.
  • AS Path Lists (for BGP).
  • Community Lists (for BGP).
  • Route Maps.
  These tools offer fine-grained control over route advertisement and acceptance.
• Expanded Protocol Support: While legacy routing supports common protocols like Static, BGP, OSPFv2/v3, and RIP, ARE extends this with robust support for:
  • Multiprotocol BGP (MP-BGP).
  • Protocol Independent Multicast - Sparse Mode (PIM-SM) and Source-Specific Multicast (PIM-SSM).
  • Bidirectional Forwarding Detection (BFD) for faster failure detection.
  • Enhanced IPv4 Multicast routing.
• Simplified Route Redistribution: Route redistribution between different routing protocols is managed more effectively using redistribution profiles in ARE.
• Granular Control for BGP: BGP configurations are more agile, with peer groups and individual peers able to inherit configurations. BGP peers can also have their own routing profiles, overriding inherited ones if needed.
• Route Tagging: ARE supports route tagging more completely and effectively, using a 32-bit decimal notation (e.g., 1234567) instead of the dotted decimal format used in the legacy engine.

3. Detailed Feature Exploration

3.1. Logical Routers (LRs)

Logical Routers are the cornerstone of the ARE, serving as distinct routing instances within the firewall. Each LR maintains its own set of interfaces, routing tables, and routing protocol instances. This separation allows for versatile network designs, such as supporting multiple tenants or segregating different traffic paths with unique routing policies.

Configuration: Network > Logical Routers

Inter-Logical Router (Inter-LR) routing can be achieved, often using iBGP between loopback interfaces defined in different LRs. This requires static routes of type "next-lr" pointing to the loopback of the other LR.

3.2. Routing Profiles

Routing profiles are a significant enhancement in ARE, centralizing common configurations for routing protocols. Instead of repeatedly defining settings like timers, authentication, or filters for each BGP neighbor or OSPF area, you create a profile and apply it where needed. This promotes consistency and simplifies management.

Types of profiles include:

• BGP Profiles: For authentication, timers, address families, dampening, route redistribution, and BGP filtering.
• OSPFv2/OSPFv3 Profiles: For timers, authentication, and route redistribution.
• RIPv2 Profiles: For timers, authentication, and route redistribution.
• Filtering Profiles: These are crucial for controlling which routes are learned or advertised. They often reference other filter objects like prefix lists or route maps.
• Redistribution Profiles: Define rules for redistributing routes from one protocol to another, or from static/connected routes into dynamic protocols.

Configuration: Network > Routing Profiles

3.3. Advanced Filtering Mechanisms

ARE provides a comprehensive suite of tools for route filtering, essential for policy enforcement and optimizing routing tables.

• Access Lists (ACLs): Filter routes based on source/destination IPv4/IPv6 addresses. In BGP, they can be used in an Inbound Distribute List to control route acceptance or an Outbound Distribute List for advertisements.
• Prefix Lists: Offer more flexibility than ACLs for matching based on network prefixes and prefix lengths (e.g., permit 10.0.0.0/8 le 24). They have an implicit "deny any" at the end.
• AS Path Lists: Filter BGP routes based on Autonomous System (AS) path regular expressions.
• Community Lists: Filter BGP routes based on BGP community attributes.
• Route Maps: The most powerful filtering tool, route maps allow for complex conditional logic. They consist of sequences of permit/deny statements, each with match criteria (e.g., prefix lists, AS path lists, communities) and set actions (e.g., modify attributes like metric, local preference, or prepend AS path). Route maps are used extensively in redistribution and BGP policy.

Configuration: Network > Routing > Routing Profiles > Filters (for Prefix Lists, AS Path Lists, Community Lists, Route Maps, Access Lists)

Figure 2: Route Map Filtering Process.

3.4. Bidirectional Forwarding Detection (BFD)

BFD is a low-overhead, short-duration protocol designed to quickly detect failures in the path between two adjacent routers. ARE supports BFD, which can be enabled for dynamic routing protocols like BGP and OSPF. This allows for much faster convergence times compared to relying solely on routing protocol hello timers or hold timers.

Configuration: Typically enabled within the specific routing protocol configuration (e.g., BGP peer or OSPF interface settings).

3.5. Migration from Legacy to ARE

PAN-OS provides a migration script to help transition configurations from the legacy routing engine to ARE. This script attempts to convert existing virtual routers, BGP, OSPF, and other routing settings into the new ARE structure (logical routers, profiles, etc.).

Key steps and considerations:

1. Backup Configuration: Always perform a full configuration backup before starting.
2. Enable Advanced Routing:

   Device > Setup > Management , edit General Settings, and check "Advanced Routing".

3. Commit and Reboot: A reboot is required for the change to take effect.
4. Review Migration Script Output: After reboot and migration, the system will display the status. Pay attention to any exceptions (highlighted in yellow or orange) that may require manual intervention. Orphaned filters or profiles (created but not applied in the legacy config) are generally not migrated.
5. Panorama-Managed Firewalls: If firewalls are managed by Panorama, the migration involves enabling Advanced Routing on Panorama first to migrate and push shared configurations, then enabling it on each firewall to migrate local configurations.

4. Troubleshooting the Advanced Routing Engine

Effective troubleshooting of ARE involves using a combination of GUI observations and CLI commands. The CLI commands for ARE are generally prefixed with show advanced-routing or debug advanced-routing .

4.1. Key CLI Show Commands

These commands are crucial for verifying configuration, checking operational status, and viewing routing tables.

• show advanced-routing logical-router routing-table [summary | detail | ] : Displays the Routing Information Base (RIB) for a specific logical router.
  • Example: show advanced-routing logical-router default routing-table detail 192.168.1.0/24
• show advanced-routing fib [afi ] [ecmp ] : Displays the Forwarding Information Base (FIB), which is the actual table used for forwarding packets.
• show advanced-routing route : Displays the advanced routing table entries.
• BGP Specific:
  • show advanced-routing bgp summary : Displays a summary of BGP peer states.
  • show advanced-routing bgp peer : Shows detailed information about a specific BGP peer.
  • show advanced-routing bgp peer received-routes : Shows routes received from a BGP peer before inbound policies are applied.
  • show advanced-routing bgp peer advertised-routes : Shows routes advertised to a BGP peer after outbound policies are applied.
  • show advanced-routing bgp rib-in : Displays BGP routes in the input RIB.
  • show advanced-routing bgp rib-out : Displays BGP routes in the output RIB.
• OSPF Specific:
  • show advanced-routing ospf neighbor [logical-router ] : Displays OSPF neighbor status.
  • show advanced-routing ospf interface [logical-router ] [ ] : Shows OSPF interface details.
  • show advanced-routing ospf database [logical-router ] : Displays the OSPF Link State Database (LSDB).
  • show advanced-routing ospf route [logical-router ] : Displays OSPF learned routes.
• RIP Specific:
  • show advanced-routing rip neighbor [logical-router ] : Displays RIP neighbor information.
  • show advanced-routing rip database [logical-router ] : Shows routes in the RIP database.
• Multicast Specific:
  • show advanced-routing multicast [summary | route | interface | rpf]
  • show ip igmp sources json : Note: There was a bug (PAN-256780) regarding inconsistent formatting of this command's output, which implies its existence for troubleshooting.
• BFD Specific:
  • show advanced-routing bfd session [summary | detail] : Displays BFD session status.

For legacy routing commands, you might see show routing ... (e.g., show routing fib ), but for ARE, always prefer show advanced-routing ... .

4.2. Key CLI Debug Commands

Debug commands provide verbose output for troubleshooting protocol behavior and issues. Use them cautiously in production environments as they can generate significant output and impact performance.

Warning: Extensive debugging can impact CPU performance. Use debug commands targetedly and disable them once troubleshooting is complete.

• debug advanced-routing : This is the primary command to enable debugging for various aspects of a routing protocol.
  • Example (BGP): debug advanced-routing bgp all logical-router default peer
  • Example (OSPF): debug advanced-routing ospf all logical-router default interface
• debug advanced-routing rib all logical-router : Enables debugging for RIB updates.
• debug advanced-routing redistribute all logical-router : Enables debugging for route redistribution processes.
• debug advanced-routing bfd all : Enables debugging for BFD.
• Viewing Debug Output: Debug messages are typically sent to the mp-log advanced-routing.log file or can be viewed in real-time in the CLI session depending on terminal settings.
• clear debug advanced-routing all : Disables all active advanced routing debugs.

While some general debug commands like debug routing pcap ospf|bgp|rip on|off existed for legacy routing, the ARE-specific commands provide more granular control.

4.3. Common Troubleshooting Scenarios & What to Check

• Routes not appearing in RIB/FIB:
  • Check interface status (up/up).
  • Verify routing protocol adjacencies/neighbor-ships ( show advanced-routing ospf neighbor , show advanced-routing bgp summary ).
  • Inspect routing protocol databases ( show advanced-routing ospf database , show advanced-routing bgp rib-in ).
  • Review filters (prefix lists, route maps) applied inbound or outbound. Check if they are unintentionally blocking routes.
  • Ensure correct redistribution profiles if routes are expected from another protocol.
  • Check for any error messages in system logs or specific protocol logs (e.g., BGP flap due to IPSec tunnel changes - PAN-182734).
• OSPF Adjacency Issues:
  • Mismatched Area ID, Hello/Dead timers, MTU, authentication.
  • Network type mismatch (e.g., point-to-point vs. broadcast).
  • Passive interface configuration.
  • Access control lists or security policies blocking OSPF packets (Protocol 89).
• BGP Peering Issues:
  • Incorrect peer IP address or AS number.
  • TCP port 179 blocked by security policies or intermediate devices.
  • TTL issues for eBGP (multihop configuration if not directly connected).
  • Authentication mismatch.
  • Address family misconfiguration.
• Route Redistribution Not Working:
  • Verify the redistribution profile is correctly configured and applied.
  • Check route maps used in redistribution for correct match/set clauses.
  • Ensure the source protocol has the routes in its RIB.
  • Confirm metrics are being set appropriately for the destination protocol.

5. PCNSE Exam Focus for Advanced Routing

For the Palo Alto Networks Certified Network Security Engineer (PCNSE) exam, a solid understanding of ARE is crucial, especially as it's the current routing framework. Key areas to focus on include:

• Core Concepts: Understand the shift from Virtual Routers to Logical Routers and the benefits of ARE.
• Enabling ARE: Know the process to enable Advanced Routing (Device > Setup > Management > General Settings, commit, and reboot).
• Logical Router Configuration: How to create and configure LRs, add interfaces, and manage basic settings.
• Routing Protocols:
  • Configuration and verification of BGP (peers, peer groups, address families, common attributes like AS-PATH, communities, local preference).
  • Configuration and verification of OSPFv2 and OSPFv3 (areas, interface types, neighbor states, LSAs at a high level).
  • Static route configuration and management.
• Routing Profiles: Purpose and application of various profiles (BGP, OSPF, Redistribution, Filtering).
• Route Filtering:
  • Detailed knowledge of Prefix Lists (syntax, matching logic).
  • Understanding and application of Route Maps (match conditions, set actions, sequence numbers).
  • Familiarity with Access Lists, AS Path Lists, and Community Lists in the context of route filtering.
• Route Redistribution: How to configure redistribution between routing protocols and from static/connected sources using redistribution profiles and route maps.
• BFD: Purpose and basic configuration with dynamic routing protocols.
• Troubleshooting: Familiarity with key show advanced-routing ... commands for BGP, OSPF, RIB, and FIB. Understanding how to interpret their output to diagnose common routing problems (e.g., OSPF routes not learned, BGP routes not populating).
• Migration: Awareness of the migration process from legacy routing and potential considerations.

Questions on the PCNSE exam might present scenarios requiring you to choose the correct configuration steps, interpret CLI output, or identify the appropriate troubleshooting command for a given routing issue.

6. Conclusion

The Advanced Routing Engine in PAN-OS represents a major step forward, equipping Palo Alto Networks firewalls with a more robust, scalable, and industry-aligned routing subsystem. For network engineers, and particularly for PCNSE candidates, mastering ARE's concepts, configuration, and troubleshooting is essential for leveraging the full potential of these next-generation firewalls in complex network environments.