Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-04-2022 01:40 PM - edited 10-04-2022 11:04 PM
Hello. New to Palo's. I have a question re routing.
I have an interface with, say, 1.1.1.1/24. There is a router on the same network on 1.1.1.2.
I have had to add a static route in order to ping/communicate with 1.1.1.2
Is this normal Palo behaviour?
10-04-2022 04:57 PM
Hello @nemeses666
thanks for the post.
Yes, this is correct understanding. Unless you have dynamic routing in place, for any indirectly connected subnet, you will have to configure static route with egress interface. Here is a KB for reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001V3WCAU&lang=en_US%E2%80%A...
If the other subnet has a route back, this communication should be functional.
Kind Regards
Pavel
10-04-2022 11:05 PM
Hi. I have edited my post as I originally wrote it incorrectly.
10-04-2022 11:48 PM
Thank you for reply @nemeses666
by looking into your edited post, no this is not expected behavior. May I ask, how did you diagnose/concluded that adding static route is resolving this issue?
Regarding ping, by default it is using management interface. If you want to change it to data plane interface you have to specify source: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clk7CAC
Kind Regards
Pavel
10-05-2022 12:10 AM
Hi Pavel. Without the static route I am unable to communicate with IP address attached to the local interface. Even using the 'source' option with ping I am unable to ping 1.1.1.2 unless the static route exists. A site to site VPN will not come up without it. I can see the IKE packets from the remote peer however the Palo does not respond unless the static is in place.
10-05-2022 08:57 AM
There are an awful lot of things that could be going on; multiple route tables, more specific routes, incorrect netmask, NATs, PBFs, etc. Starting simple since you say you can not ping the directly attached host (this shouldn't need a source option since the device is locally connected, i.e.):
PA> ping host 1.1.1.2
Remove the static route for 1.1.1.0/24 you put in. Can you ping the PA itself?
PA> ping host 1.1.1.1
What does the routing table show for a destination matching 1.1.1.2?
PA> show routing route
10-05-2022 11:58 PM
Hi Adrian.
If I remove the static (which just points to the Interface) I can still ping the locally attached address however not 1.1.1.2.
10-06-2022 11:37 AM
And what is the routing table?
10-07-2022 01:49 AM
Adrian,
Can you explain how the routing table is relevant when the address I wish to ping is in a directly connected network? I am unable to present the routing table on a public platform due to company security policies.
10-07-2022 08:57 AM
Because the routing table will show:
- the route mask applied to the route, which may indicate incorrect or corrupted netmask applied to the interface
- route existing on an alternate interface, meaning the IP range is already being used elsewhere on the PA
- route existing with something other than "C" connected status, i.e. its being learned from elsewhere, overridden by some other static route "S", etc.
- a more specific route is redirecting traffic to another interface
- look at whether the route exists in your default routing table, as well as in alternate routing tables which may exist in your specific configuration
Also look carefully through your PBFs to see if something might be matching/redirecting traffic there. There is a "Test Policy Match" tool at the bottom that you can use to see if traffic would potentially match a rule.
You don't need to post your actual IPs from the routing tables, you can obscure them. Netmask/routing type/interface matching the expected values is more important than the actual IP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
