01-31-2022 05:50 AM
Is it possible to exclude a network from static route.
For eg I have static route 10.20.0.0/16 to the core-switch.
unfortunately my management network (including PA) is 10.20.200.0/24
I dont want traffic to 10.20.200.0/24 going to core switch.
just exclude that network from the route. As it's directly connected to PA, it should take that path by default.
01-31-2022 08:07 AM
In network routing, the most specific route takes precedence. So in the most aggregated form, if you have a large network block to one destination and a small subset to a different destination you have an overlapping netblock route. For instance:
10.20.0.0/16 eth1/2 gw 192.168.2.1
10.20.200.0/24 eth1/3 gw 192.168.3.1
The 10.20.200.0/24 traffic will always take the more specific route unless the interface is down or the gateway is unreachable. Note that you actually have 3 (or more) routes that encompass the 10.20.200.0/24 above - you also need to consider the default route 0.0.0.0/0 eth1/1 gw 192.168.1.1 which will take the 10.20.200.0/24 traffic if the first 2 more specific routes are down.
The alternative is that you have to de-aggregate the routing into many netblocks to particular destinations. But again, if eth1/3 is down the 10.20.200.0/24 traffic will still take the default route.
10.20.0.0/17 eth1/2 gw 192.168.2.1
10.20.129.0/18 eth1/2 gw 192.168.2.1
10.20.192.0/21 eth1/2 gw 192.168.2.1
10.20.200.0/24 eth1/3 gw 192.168.3.1
10.20.201.0/24 eth1/2 gw 192.168.2.1
10.20.202.0/23 eth1/2 gw 192.168.2.1
10.20.204.0/22 eth1/2 gw 192.168.2.1
10.20.208.0/20 eth1/2 gw 192.168.2.1
10.20.224.0/19 eth1/2 gw 192.168.2.1
If you want to explicitly deny 10.20.200.0/24 traffic to any other destination then you need to create a blackhole route:
10.20.0.0/16 eth1/2 gw 192.168.2.1
10.20.200.0/24 eth1/3 gw 192.168.3.1 metric 10
10.20.200.0/24 tunnel.999 gw none metric 20
02-01-2022 04:14 AM
thank you @Adrian_Jensen
I was looking for an option to route traffic via management interface. There is no option in PA to route via MGMT interface. As a workaround I have written separate routes.
When I connect via globalprotect, am not able to access the Management interface IP in GUI.
02-01-2022 09:31 AM
Yes, the management interface is not part of the dataplane, by design. So you can not route data in/out the management port, just use it for PA controller management. If, for some reason, you need a particular PA service to use a data port instead of the management port (or need to setup special port routing for that), you can do that from Setup -> Services -> Service Route Configuration. But it doesn't work the other direction.
If you absolutely do not want to pass management-port-bound data from your dataplane segement thru a third device, you could dedicate a dataplane port as the gateway for the management port and cross-connect it there, instead of an external switch/router.
Eth1/1 - External WAN zone
Eth1/2 - Internal LAN zone
Eth1/3 - Management Net zone [192.168.0.1] <-cable-> Mgmt - [192.168.0.2]
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
