https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/251622#M71551 <P>Hi All,</P><P>&nbsp;</P><P>We have PA-820 models with Active-Passive configuration.&nbsp;</P><P>&nbsp;</P><P>I have configured the static route path monitoring based on this guideline&nbsp;-&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html&nbsp;" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html&nbsp;</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Just would like to know, would there any impact in removing the static route from Primary&nbsp;RIB and replaces it with the secondary route if testing is carried out by "removing cable of the primary link port (facing to ISP)".</P><P>&nbsp;</P><P>OR&nbsp;</P><P>&nbsp;</P><P>It's better to leave the cable connection of the primary link and just block the primary link source IP&nbsp;at the destination. In this way, the path monitoring wouldn't ping to a destination and it should replace&nbsp;with the secondary route.</P><P>&nbsp;</P><P>&nbsp;</P><P>I did the test with removing the primary link cable from the Active Palo Alto device and it didn't replace it with the secondary route. I guess, leave it cable in and block the source address at the destination its the best way. Any suggestions, please!&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>CP</P> Thu, 28 Feb 2019 01:50:36 GMT ChiragP 2019-02-28T01:50:36Z https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/251622#M71551 <P>Hi All,</P><P>&nbsp;</P><P>We have PA-820 models with Active-Passive configuration.&nbsp;</P><P>&nbsp;</P><P>I have configured the static route path monitoring based on this guideline&nbsp;-&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html&nbsp;" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/static-routes/static-route-removal-based-on-path-monitoring.html&nbsp;</A></P><P>&nbsp;</P><P>&nbsp;</P><P>Just would like to know, would there any impact in removing the static route from Primary&nbsp;RIB and replaces it with the secondary route if testing is carried out by "removing cable of the primary link port (facing to ISP)".</P><P>&nbsp;</P><P>OR&nbsp;</P><P>&nbsp;</P><P>It's better to leave the cable connection of the primary link and just block the primary link source IP&nbsp;at the destination. In this way, the path monitoring wouldn't ping to a destination and it should replace&nbsp;with the secondary route.</P><P>&nbsp;</P><P>&nbsp;</P><P>I did the test with removing the primary link cable from the Active Palo Alto device and it didn't replace it with the secondary route. I guess, leave it cable in and block the source address at the destination its the best way. Any suggestions, please!&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thank you.</P><P>&nbsp;</P><P>CP</P> Thu, 28 Feb 2019 01:50:36 GMT https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/251622#M71551 ChiragP 2019-02-28T01:50:36Z https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/251653#M71555 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/104473">@ChiragP</a> ,</P><P>&nbsp;</P><P>As you said it yourself the path monitoring is just a constant ping sent from the Palo Alto firewall to the monitored IP.</P><P>&nbsp;</P><P>So in theory any reason for the pings packets to fail should disable the given static route. I would say both actions should end with same result.</P><P>&nbsp;</P><P>The only different I can think of for disconnecting the interface is the link monitoring under the HA setting. Are you sure that when you disconnected the cable the firewall hasn't failover to secondary member where the cable was still connected?</P><P>&nbsp;</P><P>Also I would suggest to check the FIB during your tests in order to be 100% sure which route is actually the active one:</P><P>&gt; show routing fib | match &lt;your-destination-network&gt;</P> Thu, 28 Feb 2019 08:07:22 GMT https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/251653#M71555 aleksandar.astardzhiev 2019-02-28T08:07:22Z https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/255866#M72564 <P>Hi Alexander,</P><P>&nbsp;</P><P>Many thanks for the reply.&nbsp;</P><P>&nbsp;</P><P>I haven't done the test yet after your post so didn't reply.&nbsp;</P><P>&nbsp;</P><P>I will complete the test again and post the results.&nbsp;</P><P>&nbsp;</P><P>Thank you.&nbsp;</P><P>&nbsp;</P><P>Regards.</P> Wed, 03 Apr 2019 06:04:00 GMT https://live.paloaltonetworks.com/t5/general-topics/static-route-path-monitoring/m-p/255866#M72564 ChiragP 2019-04-03T06:04:00Z