exclude a network from static route

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

exclude a network from static route

L2 Linker

Is it possible to exclude a network from static route.


For eg  I have static route to the core-switch.

unfortunately my management network (including PA) is

I dont want traffic to going to core switch.


just exclude that network from the route. As it's directly connected to PA, it should take that path by default.


L6 Presenter

In network routing, the most specific route takes precedence. So in the most aggregated form, if you have a large network block to one destination and a small subset to a different destination you have an overlapping netblock route. For instance:   eth1/2   gw   eth1/3   gw


The traffic will always take the more specific route unless the interface is down or the gateway is unreachable. Note that you actually have 3 (or more) routes that encompass the above - you also need to consider the default route eth1/1 gw which will take the traffic if the first 2 more specific routes are down.


The alternative is that you have to de-aggregate the routing into many netblocks to particular destinations. But again, if eth1/3 is down the traffic will still take the default route.   eth1/2   gw    eth1/2   gw    eth1/2   gw   eth1/3   gw    eth1/2   gw    eth1/2   gw    eth1/2   gw    eth1/2   gw    eth1/2   gw


If you want to explicitly deny traffic to any other destination then you need to create a blackhole route:   eth1/2   gw   eth1/3   gw   metric 10   tunnel.999   gw none   metric 20


L2 Linker

thank you @Adrian_Jensen 

I was looking for an option to route traffic via management interface. There is no option in PA to route via MGMT interface. As a workaround I have written separate routes.


When I connect via globalprotect, am not able to access the Management interface IP in GUI.

L6 Presenter

Yes, the management interface is not part of the dataplane, by design. So you can not route data in/out the management port, just use it for PA controller management. If, for some reason, you need a particular PA service to use a data port instead of the management port (or need to setup special port routing for that), you can do that from Setup -> Services -> Service Route Configuration. But it doesn't work the other direction.


If you absolutely do not want to pass management-port-bound data from your dataplane segement thru a third device, you could dedicate a dataplane port as the gateway for the management port and cross-connect it there, instead of an external switch/router.

Eth1/1 - External WAN zone

Eth1/2 - Internal LAN zone

Eth1/3 - Management Net zone []  <-cable->  Mgmt - []


  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!