Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-21-2013 03:29 AM
Hi all,
how can I define an additional static route on the Management Interface?
I have a setup with a customer were the communication from the management interface to two specific IP addresses has to be routed over another next-hop which is not the default gateway of the management interface. Therefore I need to define a static route on the management interface to use a different next-hop for traffic from two specific IP addresses.
I have thought of the following which unfortunately isn't an option:
We still need the default gateway, so I can't change this.
We are not able to add a route to the default gateway so that it will handle the routing for these two IPs (political reason on the customer side)
I'm using two PA-3020 in a active/active cluster, therefore I don't think that it is possible to enable management on a network interface as I will not have a dedicated IP address per FireWall.
Any ideas?
Thanks
Lars
02-21-2013 11:27 PM
What if you go to Device -> Setup -> Services and click on Service Route Configuration.
Choose "Select" instead of "Use management interface for all".
Select "MGT" for all services (default should be just fine but explicitly select interface will make it more visible which interface is being used).
And then in the right field named "Destination, Source Address" put your static route for these two specific ip addresses and use the MGT ip as source address in this configuration?
02-22-2013 01:06 AM
Thanks for your response.
Under "Service Route Configuration" I'm only able to define what source IP/Interface shall be used when communicating with a specific destination IP address. Unfortunately what is missing is the field to define a different next-hop or gateway.
02-22-2013 01:50 AM
doh! oh yeah sorry about that 
I guess your best option is to file this as a feature request through your SE.
A workaround might be to setup a dedicated dataplane interface and use that as your new mgmtinterface until this is resolved (unless there is some other method) which you then attach a dedicated VROUTER for the proper routingtable.
02-22-2013 01:56 AM
The challenge which I have with the dedicated dataplane interface is that I have two firewalls in an Active/Active cluster and as such are not able to exclude a dataplane interface in order to have a dedicated IP address per firewall.
02-22-2013 02:07 PM
oh bummer...
Why do you use active/active?
Could 2 standalone machines be an option in your case?
Another way can be to use VWIRE so each box has two VWIREs and then your have routers/switches before/after which simply just run a 2x2 line etherchannel through your PA-boxes.
Like so:
switch/router1 int1 <-> PA1 (VWIRE1) <-> int1 switch/router3
switch/router2 int1 <-> PA1 (VWIRE2) <-> int1 switch/router4
switch/router1 int2 <-> PA2 (VWIRE1) <-> int2 switch/router3
switch/router2 int2 <-> PA2 (VWIRE2) <-> int2 switch/router4
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
