07-07-2020 08:56 AM
So, I am new to Palo Alto firewalls and have had an interesting time getting to know their functions. I have a question which I have not been able to find the answer on regarding HA path monitoring setup specifically with a virtual router. Albeit, I have only been looking for a few days.
According to my understanding, when you setup path monitoring and you choose "virtual-router" for the type, there is no option to specify a source interface or IP. This is because it uses the virtual-router’s routing table to get to the destination in your path monitoring group. However, every ping MUST have a source IP.
This begs the question,
Which source interface/IP does the PA unit use in order to ping the destination IP for the condition to be true?
For instance,
Should path monitoring be setup with a destination to plain old 8.8.8.8 to simply monitor very basic internet connectivity, and we have a static default route in the routing table in order to handle this.
Does anyone know?
07-08-2020 07:10 AM
Hi,
This is explained (although not very well IMHO) in the device's help page:
Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.
So these ICMP packets egress the interface via virtual router lookup, and not through the management interface.
Shai
Shai
07-08-2020 07:10 AM
Hi,
This is explained (although not very well IMHO) in the device's help page:
Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.
So these ICMP packets egress the interface via virtual router lookup, and not through the management interface.
Shai
Shai
07-08-2020 07:18 AM
Hi ShaiW,
Thank you for your answer on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
