PCNSE Static Routing Guide: Palo Alto Networks Firewalls

1. Introduction to Static Routing

Static routing is a fundamental networking concept where routes are manually configured on a routing device, such as a Palo Alto Networks firewall. Unlike dynamic routing protocols that automatically discover and update routes, static routes remain fixed unless an administrator changes them. Static routes are useful in various scenarios, including small, stable networks, defining specific paths for certain traffic, or as a backup to dynamic routes. Palo Alto Networks firewalls offer robust static routing capabilities, allowing for precise control over traffic flow.

2. Static Route Configuration

Configuring a static route on a Palo Alto Networks firewall involves specifying several key parameters to define how traffic to a particular destination network should be handled.

Navigate to Network > Virtual Routers , select the desired virtual router, and go to the Static Routes tab.

1. Name: A descriptive name for the static route (e.g., To_Remote_Branch_VPN ).
2. Destination: The network address of the destination you want to reach (e.g., 10.10.20.0/24 ). A common use case is configuring a default route ( 0.0.0.0/0 ) to direct all traffic for unknown destinations.
3. Interface: The egress interface on the firewall that will be used to send traffic towards the next hop or destination. This is optional if the next hop IP address is directly reachable via a different interface already known to the virtual router. For certain next-hop types like 'None', an interface might still be specified.
4. Next Hop Type & Value: This defines the next device or action for packets matching the destination. Common types include:
   • IP Address: The IP address of the next-hop router. This is the most common type.
   • Next VR: Forwards traffic to another virtual router (VR) within the same firewall. This is useful for inter-VR communication.
   • Discard (Null Route): Drops traffic destined for the specified network. This is often used for blackholing unwanted traffic (e.g., DDoS mitigation) or preventing routing loops for summarized routes.
   • None: Often used when the route is for traffic that will be handled by Policy-Based Forwarding (PBR) or for routes to directly connected networks over a specific interface (though connected routes are typically learned automatically). The firewall might use the destination IP of a path monitor as the next hop in this scenario.
   • FQDN: (Available in some PAN-OS versions) Allows specifying the next hop as a Fully Qualified Domain Name, which the firewall resolves to an IP address.
5. Administrative Distance (AD): A value from 1 to 255 indicating the trustworthiness of the route source. Lower values are preferred. The default AD for static routes is 10 . This is crucial when static routes interact with dynamic routing protocols.
6. Metric: A value (default 10 ) used to differentiate between multiple static routes to the same destination with the same AD. The route with the lower metric is preferred.
7. Click OK and then Commit the changes.

3. Typical Utilization Scenarios

3.1 Routing to Tunnel Interfaces (IPSec VPN & GlobalProtect)

A primary use case for static routes is directing traffic destined for remote networks through IPSec VPN tunnels or to GlobalProtect client subnets.

• IPSec Site-to-Site VPN: When an IPSec tunnel is established, a tunnel interface is created on the firewall. You then configure static routes pointing to the remote subnets, with the Next Hop being the tunnel interface itself (or an IP address within the tunnel if tunnel monitoring with an IP is used). For example, to reach a remote network 192.168.100.0/24 via tunnel.1 , you would add a static route with this destination and specify tunnel.1 as the interface.
• GlobalProtect: For GlobalProtect remote access VPNs, static routes can be used to direct traffic from the internal network to the dynamically assigned IP address pools for GlobalProtect users. Conversely, routes might be needed within the GlobalProtect virtual router instance to direct traffic from clients to internal resources. Often, GlobalProtect configurations automatically handle necessary routing, but complex scenarios might require manual static routes.

A tunnel interface itself doesn't always require an IP address unless you are using tunnel monitoring (pinging an IP across the tunnel) or running dynamic routing protocols over the tunnel.

3.2 Stub Networks and Default Routes

Static routes are ideal for connecting to stub networks —networks accessible through a single path. For instance, a small branch office connected to a central site via a single WAN link can use a static route on the central firewall to reach the branch office's subnets.

A default static route ( 0.0.0.0/0 ) is essential when the firewall doesn't learn a default route from a dynamic routing protocol. This route specifies the next-hop (usually an ISP gateway) for all traffic whose destination is not explicitly listed in the routing table. You can have multiple default routes with different metrics or ADs for redundancy.

3.3 Inter-Virtual Router (Inter-VR) Routing

In Palo Alto Networks firewalls, multiple virtual routers (VRs) can exist. To enable communication between networks attached to different VRs, you can use static routes with a Next Hop Type of Next VR . This allows traffic to be passed from one VR to another specified VR, facilitating segmented yet interconnected network designs. For instance, if VR1 needs to send traffic to a network in VR2, a static route in VR1 for that network would specify VR2 as the next hop.

4. Path Monitoring for Static Routes

Path monitoring enhances the reliability of static routes by ensuring they are only active when the specified path is reachable. This is particularly useful for ISP redundancy scenarios.

1. While adding or editing a static route, navigate to the Path Monitoring tab.
2. Enable path monitoring and add one or more Monitored Destinations (IP addresses that the firewall will ping). You can monitor up to 128 static routes.
3. Specify the Source IP for the ICMP pings (often an IP on the egress interface of the static route).
4. Set the Ping Interval (how often to ping) and Ping Count (number of consecutive failures before declaring the path down).
5. Choose the Failure Condition ( Any or All monitored destinations must fail) and set the Preemptive Hold Time (how long to wait after a path recovers before re-installing the route).
6. Click OK and then Commit the changes.

When path monitoring detects that a monitored destination is unreachable, the static route is dynamically removed from the routing table. This allows an alternative route (e.g., a floating static route or a route learned via a dynamic protocol) to become active. When the path recovers, the original static route can be re-installed.

4.1 Bidirectional Forwarding Detection (BFD) for Static Routes

Bidirectional Forwarding Detection (BFD) is a protocol designed for very fast failure detection in the bidirectional path between two routing peers. Palo Alto Networks firewalls support BFD for static routes, providing much faster failover times (sub-second) than traditional path monitoring based on ICMP pings.

Key points for BFD with static routes:

• BFD must be supported and configured on both the firewall and the peer device at the other end of the static route.
• The static route's Next Hop Type must be IP Address , and a valid IP address must be entered.
• An egress interface must be specified for the static route.
• You create a BFD Profile (under Network > Network Profiles > BFD ) defining parameters like desired minimum transmit/receive intervals and detection time multiplier. This profile is then applied to the static route.
• If multiple static routes use the same source/destination IP pair for a BFD session, a single BFD session can handle them.
• BFD is particularly beneficial in HA (High Availability) setups and scenarios requiring rapid convergence.

While BFD offers faster failover, path monitoring via ICMP is simpler to implement if the peer device doesn't support BFD or for less critical links.

5. Administrative Distance and Metric Manipulation

Administrative Distance (AD) and Metric are crucial for controlling route preference, especially when multiple routes to the same destination exist from different sources (e.g., static, OSPF, BGP).

5.1 Administrative Distance (AD)

AD indicates the trustworthiness of a route source. Lower AD values are preferred . Palo Alto Networks firewalls use these default ADs:

• Connected: 0
• Static routes: 10
• eBGP: 20
• OSPF Int./Ext.: 30/110 (PAN-OS specific OSPF AD values, can differ from Cisco's 110 for both)
• iBGP: 200
• RIP: 120

By default, a static route (AD 10) will be preferred over an OSPF route (AD 30 or 110) or a RIP route (AD 120) to the same destination.

Floating Static Routes: You can create a "floating" static route by setting its AD higher than that of a dynamically learned route. For example, if OSPF provides the primary path (AD 30), a static route to the same destination with an AD of 35 or higher will only be installed in the routing table if the OSPF route disappears. This makes the static route a backup.

5.2 Metric

If multiple static routes to the same destination have the same AD , the firewall uses the metric to choose the best path. The route with the lowest metric is preferred. The default metric for static routes is 10 .

Use Case: Consider two static routes to 10.5.5.0/24 .

• Route A: Next Hop 172.16.1.1 , AD 10, Metric 10
• Route B: Next Hop 172.16.2.1 , AD 10, Metric 20

Route A will be preferred. If Route A becomes inactive (e.g., due to path monitoring failure), Route B will be used. If both had a metric of 10, ECMP (Equal Cost Multi-Path) might be considered if enabled, though behavior can depend on specific PAN-OS versions and configurations.

6. Static Routes and Dynamic Routing

Static routes and dynamic routing protocols (like OSPF, BGP, RIP) can coexist and complement each other within a virtual router.

• Route Preference: As discussed, AD determines preference. Static routes (default AD 10) are typically preferred over dynamically learned routes unless the AD is manually adjusted.
• Backup Routes: Increasing a static route's AD to be higher than a dynamic protocol's AD allows the static route to function as a backup if the dynamic routes fail.
• Redistribution: Static routes can be redistributed into dynamic routing protocols. This allows routers participating in dynamic routing to learn about networks that are only known via static configuration on the firewall. When redistributing, you can set metrics and apply route maps/filters to control which static routes are advertised and their attributes in the dynamic protocol. Care must be taken to prevent routing loops.
• Specific Cases: You might use a static route to reach a network that a dynamic routing protocol cannot, or to override a path learned dynamically for specific policy reasons.

7. Special Static Route Next-Hop Types

Palo Alto Networks firewalls offer flexible next-hop options for static routes:

• IP Address : The standard next-hop, pointing to a specific router's IP address. Path monitoring and BFD are commonly used with this type.
• Next VR : Used to forward traffic to another virtual router (VR) on the same firewall. This enables inter-VR communication without needing physical connections between them. A common use case is routing traffic between a dedicated VR for GlobalProtect users and the internal network VR.
• Discard (Null Route): Traffic matching a route with a 'Discard' next-hop is dropped by the firewall.
  • Purpose:
    • Blackholing Traffic: Intentionally dropping unwanted traffic, such as in response to a DDoS attack or to block traffic to known malicious destinations.
    • Loop Prevention: When advertising aggregate routes in BGP, a null route for the aggregate can prevent routing loops if more specific components of the aggregate are down.
    • Advertising Routes without a Physical Next-Hop: Sometimes used in BGP to advertise a prefix that exists on the firewall itself (e.g., an aggregate) into the BGP domain.
• None : This option indicates there's no specific next-hop IP address.
  • Purpose:
    • Policy-Based Forwarding (PBR): If traffic is intended to be routed by a PBR rule, the static route lookup might point to a route with 'None' as the next hop, deferring the decision to PBR.
    • Interface-Specific Routes for Path Monitoring: In some path monitoring scenarios where the destination is directly reachable via an interface without a further next-hop IP, 'None' might be used. The firewall uses the destination IP of the path monitor as the next hop.
    • Routes to directly connected segments: While typically handled by "connected" routes, a static route with 'None' might be used in specific edge cases pointing to an interface.
• FQDN : Allows using a Fully Qualified Domain Name as the next hop. The firewall periodically resolves the FQDN to an IP address and updates the route. This is useful for dynamic next-hop IP addresses.

8. Policy-Based Routing (PBR)

Policy-Based Routing (PBR) provides a mechanism to forward packets based on criteria other than just the destination IP address found in the routing table. PBR rules can consider source IP, source/destination port, application, or user to make forwarding decisions.

Navigate to Policies > Policy Based Forwarding .

1. Click Add to create a PBR rule.
2. Define match criteria: Source Zone , Source Address/User , Destination Address , Application , Service/URL Category .
3. Specify the Action (Forwarding) :
   • Egress Interface: The interface out of which to send matching traffic.
   • Next Hop: IP address of the next device.
   • Can also choose to forward to a Next VR .
4. Optionally, enable Monitor to track the health of the PBR path (similar to static route path monitoring). If the monitored path fails, the PBR rule can be disabled.
5. Click OK and then Commit .

PBR is useful for scenarios like source-based routing (e.g., sending traffic from specific departments via different ISP links), directing certain application traffic through specific paths, or for temporary troubleshooting.

9. Interaction Between Static Routes and PBR

Understanding the order of operations is crucial when both static routes and PBR are configured:

• PBR rules are evaluated before the main IP routing table lookup.
• If a packet matches a PBR rule and the rule is active (and its monitor, if configured, indicates the path is up), the packet is forwarded according to the PBR rule's defined action, overriding what the routing table would have dictated.
• If no PBR rule matches the packet, or if a matching PBR rule's monitored path is down, the firewall then performs a lookup in the routing table (which includes static and dynamically learned routes) to determine the forwarding path.

While PBR offers granular control, it can make troubleshooting more complex as the forwarding path isn't solely determined by the routing table. Static route path monitoring is often preferred for simple ISP failover scenarios due to its clearer integration with the routing table.

10. Monitoring and Troubleshooting

Effective monitoring and troubleshooting are key to maintaining a healthy routed environment:

• Virtual Router Runtime Stats:

  Network > Virtual Routers > (select your VR) > More Runtime Stats

  • Routing Table: Shows all active routes (static, connected, dynamic) with their AD, metric, next hop, and interface. Look for flags like 'A' (Active), 'S' (Static), 'C' (Connected), 'O' (OSPF), 'B' (BGP), 'R' (RIP).
  • Forwarding Table (FIB): Shows the actual routes used for forwarding packets. This is derived from the routing table.
  • Path Monitoring: Displays the status of monitored static routes (Up/Down, monitored IPs).
  • BFD: Shows the status of BFD sessions (Up/Down, peer IP, interface).
• System Logs:

  Monitor > Logs > System

  Filter for events related to routing, path monitoring (e.g., path-monitor-failure , path-monitor-recovery ), and BFD (e.g., bfd-session-down , bfd-session-up ).
• Traffic Logs:

  Monitor > Logs > Traffic

  Can indicate routing issues if sessions are failing or showing unexpected egress interfaces or zones. "Incomplete" or "aged-out" sessions for allowed traffic might point to routing or NAT problems.
• CLI Commands:
  • show routing route : Displays the routing table.
  • show routing fib : Displays the Forwarding Information Base.
  • show routing path-monitor static-route all : Shows status of all path-monitored static routes.
  • show bfd session all : Shows status of all BFD sessions.
  • test routing fib-lookup virtual-router ip : Simulates a FIB lookup for a destination IP.
  • ping source host : Useful for testing connectivity along a specific path.

11. Best Practices for Static Routing

• Use Descriptive Naming: Assign clear names to static routes (e.g., Default_Route_ISP1 , VPN_to_Branch_Office ) for easier identification and management.
• Regularly Audit Routes: Periodically review static routes to ensure they are still necessary, correctly configured, and haven't become obsolete.
• Document Configurations: Maintain thorough documentation of static routes, their purpose, any path monitoring or BFD configurations, and AD/metric adjustments.
• Implement Redundancy with Path Monitoring/BFD: For critical connections (like ISP links or core internal routes), use path monitoring or BFD with backup static routes (floating static routes) or dynamic routing to ensure failover.
• Be Cautious with 0.0.0.0/0 Overrides: While powerful, ensure default routes are correctly pointing to trusted gateways. Misconfiguration can lead to widespread outages.
• Use Specific Prefixes: Prefer more specific static routes over less specific ones where possible to avoid unintended traffic redirection. Longest prefix match always wins.
• Null Routes for Aggregates: When summarizing routes and redistributing them (especially into BGP), use a discard/null route for the aggregate prefix on the summarizing router to prevent routing loops.
• Understand AD and Metric: Leverage AD and metric values strategically to achieve desired routing behavior, especially in environments with mixed static and dynamic routing.
• Test Failover: If using path monitoring or BFD for failover, regularly test the failover mechanism to ensure it works as expected.

12. Conclusion

Static routing, while simple in concept, offers powerful and granular control over traffic flow in Palo Alto Networks firewalls. By understanding its configuration options, utilization scenarios like VPN routing and ISP redundancy, the interplay with Administrative Distance and metrics, and enhancements like Path Monitoring and BFD, network engineers can build resilient, efficient, and predictable network infrastructures. Mastering these concepts is crucial for success in the PCNSE exam and in deploying and managing Palo Alto Networks security solutions effectively.