https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123141#M46197 <P>Thanks. Unfortunately traceroute is not allowed on firewall. For outgoing self traffic of firewall, like ping/traceroute, should I need intra-zone policy to allow source address: self ip of firewall, destination: any ?</P><P>&nbsp;</P><P>But surprisingly, show routing route command does not show matching route. Strange ! or I am missing something</P><P>&nbsp;</P><P>Appreciated your reply</P> Wed, 02 Nov 2016 06:48:38 GMT ghostrider 2016-11-02T06:48:38Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123007#M46191 <P>Hello Experts</P><P>&nbsp;</P><P>&nbsp;</P><P>I want to check which route is matching for some host IP like 10.155.7.33, so I can check the outgoing interface and destination zone for policy lookup. When I run the command “show routing route destination 10.155.7.33/32”, it is showing nothing. Although I have matching route 10.115.7.0/24 in the routing table.&nbsp;</P><P>&nbsp;</P><P>Kindly help !</P> Tue, 01 Nov 2016 20:11:20 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123007#M46191 ghostrider 2016-11-01T20:11:20Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123043#M46192 <P>Use traceroute command</P> Tue, 01 Nov 2016 22:08:58 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123043#M46192 TranceforLife 2016-11-01T22:08:58Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123141#M46197 <P>Thanks. Unfortunately traceroute is not allowed on firewall. For outgoing self traffic of firewall, like ping/traceroute, should I need intra-zone policy to allow source address: self ip of firewall, destination: any ?</P><P>&nbsp;</P><P>But surprisingly, show routing route command does not show matching route. Strange ! or I am missing something</P><P>&nbsp;</P><P>Appreciated your reply</P> Wed, 02 Nov 2016 06:48:38 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123141#M46197 ghostrider 2016-11-02T06:48:38Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123158#M46201 <P>Hi,</P><P>&nbsp;</P><P>intra-zone traffic is permitted by default on FW. Self-traffic is not scanned by security policies, so if it is destined to the FW or initiated by FW.&nbsp;</P><P>&nbsp;</P><P>Cheers&nbsp;</P> Wed, 02 Nov 2016 09:14:59 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123158#M46201 TranceforLife 2016-11-02T09:14:59Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123199#M46205 <P>Hello</P><P>&nbsp;</P><P>In our fw, intra-zone policies are blocked so In this case I need to create explicit rules for traffic destined to the FW or initiated by FW?</P><P>&nbsp;</P><P>Appreciated your reply</P> Wed, 02 Nov 2016 11:16:08 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/123199#M46205 ghostrider 2016-11-02T11:16:08Z https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/125103#M46397 <P>The "show" command would only find something if you had a route exactly for&nbsp;<SPAN>10.155.7.33/32.</SPAN></P><P><SPAN>However, what you want to use is the "test" command:</SPAN></P><P>&nbsp;</P><P><SPAN>test routing fib-lookup virtual-router default ip &lt;destination-ip&gt;</SPAN></P><P>&nbsp;</P><P><SPAN>Output will show which route matches this destination IP address.</SPAN></P> Tue, 08 Nov 2016 22:00:24 GMT https://live.paloaltonetworks.com/t5/general-topics/route-check-on-pa-firewall-longest-match-not-there/m-p/125103#M46397 Anon1 2016-11-08T22:00:24Z