This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA Path Monitoring using virtual-router

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA Path Monitoring using virtual-router

Go to solution
KarienVerster
L0 Member

‎07-07-2020 08:56 AM

So, I am new to Palo Alto firewalls and have had an interesting time getting to know their functions.  I have a question which I have not been able to find the answer on regarding HA path monitoring setup specifically with a virtual router.  Albeit, I have only been looking for a few days.

According to my understanding, when you setup path monitoring and you choose "virtual-router" for the type, there is no option to specify a source interface or IP.  This is because it uses the virtual-router’s routing table to get to the destination in your path monitoring group.  However, every ping MUST have a source IP.

This begs the question,

Which source interface/IP does the PA unit use in order to ping the destination IP for the condition to be true?

 

For instance,

Should path monitoring be setup with a destination to plain old 8.8.8.8 to simply monitor very basic internet connectivity, and we have a static default route in the routing table in order to handle this.

  1.  Does the PA use the interface (and therefor IP) to which it has the closest route towards this destination path?  
  2.  Or does it for some reason use it’s management interface? (I hope not)

Does anyone know?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
ShaiW
L4 Transporter

‎07-08-2020 07:10 AM

Hi,

 

This is explained (although not very well IMHO) in the device's help page:

 

Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.

 

So these ICMP packets egress the interface via virtual router lookup, and not through the management interface.

 

Shai

 

Shai

View solution in original post

2 REPLIES 2

Go to solution
ShaiW
L4 Transporter

‎07-08-2020 07:10 AM

Hi,

 

This is explained (although not very well IMHO) in the device's help page:

 

Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.

 

So these ICMP packets egress the interface via virtual router lookup, and not through the management interface.

 

Shai

 

Shai

Go to solution
KarienVerster
L0 Member
In response to ShaiW

‎07-08-2020 07:18 AM

Hi ShaiW, 

 

Thank you for your answer on this.

 

0 Likes Likes
  • 1 accepted solution
  • 3699 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks