how can I define an additional static route on the Management Interface?
I have a setup with a customer were the communication from the management interface to two specific IP addresses has to be routed over another next-hop which is not the default gateway of the management interface. Therefore I need to define a static route on the management interface to use a different next-hop for traffic from two specific IP addresses.
I have thought of the following which unfortunately isn't an option:
We still need the default gateway, so I can't change this.
We are not able to add a route to the default gateway so that it will handle the routing for these two IPs (political reason on the customer side)
I'm using two PA-3020 in a active/active cluster, therefore I don't think that it is possible to enable management on a network interface as I will not have a dedicated IP address per FireWall.
What if you go to Device -> Setup -> Services and click on Service Route Configuration.
Choose "Select" instead of "Use management interface for all".
Select "MGT" for all services (default should be just fine but explicitly select interface will make it more visible which interface is being used).
And then in the right field named "Destination, Source Address" put your static route for these two specific ip addresses and use the MGT ip as source address in this configuration?
Thanks for your response.
Under "Service Route Configuration" I'm only able to define what source IP/Interface shall be used when communicating with a specific destination IP address. Unfortunately what is missing is the field to define a different next-hop or gateway.
doh! oh yeah sorry about that :smileyhappy:
I guess your best option is to file this as a feature request through your SE.
A workaround might be to setup a dedicated dataplane interface and use that as your new mgmtinterface until this is resolved (unless there is some other method) which you then attach a dedicated VROUTER for the proper routingtable.
The challenge which I have with the dedicated dataplane interface is that I have two firewalls in an Active/Active cluster and as such are not able to exclude a dataplane interface in order to have a dedicated IP address per firewall.
Why do you use active/active?
Could 2 standalone machines be an option in your case?
Another way can be to use VWIRE so each box has two VWIREs and then your have routers/switches before/after which simply just run a 2x2 line etherchannel through your PA-boxes.
switch/router1 int1 <-> PA1 (VWIRE1) <-> int1 switch/router3
switch/router2 int1 <-> PA1 (VWIRE2) <-> int1 switch/router4
switch/router1 int2 <-> PA2 (VWIRE1) <-> int2 switch/router3
switch/router2 int2 <-> PA2 (VWIRE2) <-> int2 switch/router4
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!