topic Palo firewall routing in Next-Generation Firewall Discussions

Palo firewall routing

nemeses666 — Wed, 05 Oct 2022 06:04:04 GMT

Hello. New to Palo's. I have a question re routing.

I have an interface with, say, 1.1.1.1/24. There is a router on the same network on 1.1.1.2.

I have had to add a static route in order to ping/communicate with 1.1.1.2

Is this normal Palo behaviour?

Re: Palo firewall routing

PavelK — Tue, 04 Oct 2022 23:57:03 GMT

Hello @nemeses666

thanks for the post.

Yes, this is correct understanding. Unless you have dynamic routing in place, for any indirectly connected subnet, you will have to configure static route with egress interface. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001V3WCAU&lang=en_US%E2%80%A9

If the other subnet has a route back, this communication should be functional.

Kind Regards

Pavel

Re: Palo firewall routing

nemeses666 — Wed, 05 Oct 2022 06:05:02 GMT

Hi. I have edited my post as I originally wrote it incorrectly.

Re: Palo firewall routing

PavelK — Wed, 05 Oct 2022 06:48:05 GMT

Thank you for reply @nemeses666

by looking into your edited post, no this is not expected behavior. May I ask, how did you diagnose/concluded that adding static route is resolving this issue?

Regarding ping, by default it is using management interface. If you want to change it to data plane interface you have to specify source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk7CAC

Kind Regards

Pavel

Re: Palo firewall routing

nemeses666 — Wed, 05 Oct 2022 07:10:28 GMT

Hi Pavel. Without the static route I am unable to communicate with IP address attached to the local interface. Even using the 'source' option with ping I am unable to ping 1.1.1.2 unless the static route exists. A site to site VPN will not come up without it. I can see the IKE packets from the remote peer however the Palo does not respond unless the static is in place.

Re: Palo firewall routing

Adrian_Jensen — Wed, 05 Oct 2022 15:57:29 GMT

There are an awful lot of things that could be going on; multiple route tables, more specific routes, incorrect netmask, NATs, PBFs, etc. Starting simple since you say you can not ping the directly attached host (this shouldn't need a source option since the device is locally connected, i.e.):

PA> ping host 1.1.1.2

Remove the static route for 1.1.1.0/24 you put in. Can you ping the PA itself?

PA> ping host 1.1.1.1

What does the routing table show for a destination matching 1.1.1.2?

PA> show routing route

Re: Palo firewall routing

nemeses666 — Thu, 06 Oct 2022 06:58:49 GMT

Hi Adrian.

If I remove the static (which just points to the Interface) I can still ping the locally attached address however not 1.1.1.2.

Re: Palo firewall routing

Adrian_Jensen — Thu, 06 Oct 2022 18:37:44 GMT

And what is the routing table?

Re: Palo firewall routing

nemeses666 — Fri, 07 Oct 2022 08:49:22 GMT

Adrian,

Can you explain how the routing table is relevant when the address I wish to ping is in a directly connected network? I am unable to present the routing table on a public platform due to company security policies.

Re: Palo firewall routing

Adrian_Jensen — Fri, 07 Oct 2022 15:57:41 GMT

Because the routing table will show:

- the route mask applied to the route, which may indicate incorrect or corrupted netmask applied to the interface

- route existing on an alternate interface, meaning the IP range is already being used elsewhere on the PA

- route existing with something other than "C" connected status, i.e. its being learned from elsewhere, overridden by some other static route "S", etc.

- a more specific route is redirecting traffic to another interface

- look at whether the route exists in your default routing table, as well as in alternate routing tables which may exist in your specific configuration

Also look carefully through your PBFs to see if something might be matching/redirecting traffic there. There is a "Test Policy Match" tool at the bottom that you can use to see if traffic would potentially match a rule.

You don't need to post your actual IPs from the routing tables, you can obscure them. Netmask/routing type/interface matching the expected values is more important than the actual IP.