topic Re: exclude a network from static route in General Topics

exclude a network from static route

ceapen01 — Mon, 31 Jan 2022 13:50:12 GMT

Is it possible to exclude a network from static route.

For eg I have static route 10.20.0.0/16 to the core-switch.

unfortunately my management network (including PA) is 10.20.200.0/24

I dont want traffic to 10.20.200.0/24 going to core switch.

just exclude that network from the route. As it's directly connected to PA, it should take that path by default.

Re: exclude a network from static route

Adrian_Jensen — Mon, 31 Jan 2022 16:07:06 GMT

In network routing, the most specific route takes precedence. So in the most aggregated form, if you have a large network block to one destination and a small subset to a different destination you have an overlapping netblock route. For instance:

10.20.0.0/16 eth1/2 gw 192.168.2.1

10.20.200.0/24 eth1/3 gw 192.168.3.1

The 10.20.200.0/24 traffic will always take the more specific route unless the interface is down or the gateway is unreachable. Note that you actually have 3 (or more) routes that encompass the 10.20.200.0/24 above - you also need to consider the default route 0.0.0.0/0 eth1/1 gw 192.168.1.1 which will take the 10.20.200.0/24 traffic if the first 2 more specific routes are down.

The alternative is that you have to de-aggregate the routing into many netblocks to particular destinations. But again, if eth1/3 is down the 10.20.200.0/24 traffic will still take the default route.

10.20.0.0/17 eth1/2 gw 192.168.2.1

10.20.129.0/18 eth1/2 gw 192.168.2.1

10.20.192.0/21 eth1/2 gw 192.168.2.1

10.20.200.0/24 eth1/3 gw 192.168.3.1

10.20.201.0/24 eth1/2 gw 192.168.2.1

10.20.202.0/23 eth1/2 gw 192.168.2.1

10.20.204.0/22 eth1/2 gw 192.168.2.1

10.20.208.0/20 eth1/2 gw 192.168.2.1

10.20.224.0/19 eth1/2 gw 192.168.2.1

If you want to explicitly deny 10.20.200.0/24 traffic to any other destination then you need to create a blackhole route:

10.20.0.0/16 eth1/2 gw 192.168.2.1

10.20.200.0/24 eth1/3 gw 192.168.3.1 metric 10

10.20.200.0/24 tunnel.999 gw none metric 20

Re: exclude a network from static route

ceapen01 — Tue, 01 Feb 2022 12:14:29 GMT

thank you @Adrian_Jensen

I was looking for an option to route traffic via management interface. There is no option in PA to route via MGMT interface. As a workaround I have written separate routes.

When I connect via globalprotect, am not able to access the Management interface IP in GUI.

Re: exclude a network from static route

Adrian_Jensen — Tue, 01 Feb 2022 17:31:46 GMT

Yes, the management interface is not part of the dataplane, by design. So you can not route data in/out the management port, just use it for PA controller management. If, for some reason, you need a particular PA service to use a data port instead of the management port (or need to setup special port routing for that), you can do that from Setup -> Services -> Service Route Configuration. But it doesn't work the other direction.

If you absolutely do not want to pass management-port-bound data from your dataplane segement thru a third device, you could dedicate a dataplane port as the gateway for the management port and cross-connect it there, instead of an external switch/router.

Eth1/1 - External WAN zone

Eth1/2 - Internal LAN zone

Eth1/3 - Management Net zone [192.168.0.1] <-cable-> Mgmt - [192.168.0.2]