I'm wondering if the Palo Alto firewall (PA3020) logs the ping traffic of a path monitoring setup, or if it can be configured to do so.
Let me explain why.
We have configured path monitoring on the default route through our primary ISP. During manual testing (unplug the ethernet cable) the failover to the secondary works just fine. However, we've seen a couple of recent events where connectivity went down for longer than the 2 minute wait time, but no failover happened.
The IP we are pinging is the default gateway of the ISP, so I'm pretty confident that whatever is breaking is happening further out on the ISP's network. But when management asks "Why didn't the connection fail over?" I'd like to be able to point at a log and say, "See here? The pings to the gateway went right on working. So the problem was outside our facility."
Unfortunately I am afraid that there is no way to see this traffic from the firewall.
The following KB explain the PBF and Tunnel Monitor, but Path monitor on static route is pretty much the same concept
Probes use ICMP echo requests with the source IP address of the egress interface as configured under the Forwarding tab of the PBF rule. Probes do not go through flow module. Route lookup/ policy lookup/ nat lookup etc. do not apply on these probes on the firewall where monitoring is configured. Probes are sent out of the same egress interface as configured in the PBF rule, either via the next hop mentioned, or in case of a tunnel interface, via the same tunnel. Further down the network, these probes should be treated as normal ICMP echo requests and for probes to be successful, proper Access Lists, routes should be configured. Probes are NOT sent out using the interface as returned by route lookup, so pinging the monitored target IP address from dataplane using CLI is not always a valid test to troubleshoot monitoring probe failures. Probes do not create sessions, or traffic logs or data plane debug logs or packet captures on the source firewall, so to check them the most appropriate place to check is outside firewall.
Basically FW does not have any visibilty over those probes - no log, no capture, no nothing.
The only way I can think of you can confirm path monitor status is by:
- looking at CLI status with > show routing path-monitor virtual-router <vr-name>
- looking at GUI system logs for subtype "routing"
I would agree that your problem is somewhere in the ISP, you may want to consider either:
- Start monitoring another public IP - for example 184.108.40.206
- Add additional IP to monitor and decide to failover either if both pings fail or any
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!