topic Re: Static route on Management Interface in General Topics

Static route on Management Interface

LarsAtConsigas — Thu, 21 Feb 2013 11:29:55 GMT

Hi all,

how can I define an additional static route on the Management Interface?

I have a setup with a customer were the communication from the management interface to two specific IP addresses has to be routed over another next-hop which is not the default gateway of the management interface. Therefore I need to define a static route on the management interface to use a different next-hop for traffic from two specific IP addresses.

I have thought of the following which unfortunately isn't an option:

We still need the default gateway, so I can't change this.

We are not able to add a route to the default gateway so that it will handle the routing for these two IPs (political reason on the customer side)

I'm using two PA-3020 in a active/active cluster, therefore I don't think that it is possible to enable management on a network interface as I will not have a dedicated IP address per FireWall.

Any ideas?

Thanks

Lars

Re: Static route on Management Interface

mikand — Fri, 22 Feb 2013 07:27:12 GMT

What if you go to Device -> Setup -> Services and click on Service Route Configuration.

Choose "Select" instead of "Use management interface for all".

Select "MGT" for all services (default should be just fine but explicitly select interface will make it more visible which interface is being used).

And then in the right field named "Destination, Source Address" put your static route for these two specific ip addresses and use the MGT ip as source address in this configuration?

Re: Static route on Management Interface

LarsAtConsigas — Fri, 22 Feb 2013 09:06:23 GMT

Thanks for your response.

Under "Service Route Configuration" I'm only able to define what source IP/Interface shall be used when communicating with a specific destination IP address. Unfortunately what is missing is the field to define a different next-hop or gateway.

Re: Static route on Management Interface

mikand — Fri, 22 Feb 2013 09:50:31 GMT

doh! oh yeah sorry about that

I guess your best option is to file this as a feature request through your SE.

A workaround might be to setup a dedicated dataplane interface and use that as your new mgmtinterface until this is resolved (unless there is some other method) which you then attach a dedicated VROUTER for the proper routingtable.

Re: Static route on Management Interface

LarsAtConsigas — Fri, 22 Feb 2013 09:56:38 GMT

The challenge which I have with the dedicated dataplane interface is that I have two firewalls in an Active/Active cluster and as such are not able to exclude a dataplane interface in order to have a dedicated IP address per firewall.

Re: Static route on Management Interface

mikand — Fri, 22 Feb 2013 22:07:07 GMT

oh bummer...

Why do you use active/active?

Could 2 standalone machines be an option in your case?

Another way can be to use VWIRE so each box has two VWIREs and then your have routers/switches before/after which simply just run a 2x2 line etherchannel through your PA-boxes.

Like so:

switch/router1 int1 <-> PA1 (VWIRE1) <-> int1 switch/router3

switch/router2 int1 <-> PA1 (VWIRE2) <-> int1 switch/router4

switch/router1 int2 <-> PA2 (VWIRE1) <-> int2 switch/router3

switch/router2 int2 <-> PA2 (VWIRE2) <-> int2 switch/router4