We are in the process of replacing an internet facing Check Point (NokiaIP560) deployment with Palo Alto (PA-2050) running PAN-OS 5.0.9. The current checkpoint deployment has two equal cost default routes to the upstream providers routes. These two next hop IP addresses are the multi-group VRRP IP addresses to achieve outbound load sharing. Below is the "show route" output from the Check Point firewalls routing table, it appears to show two equal cost static default routes. S 0.0.0.0/0 via x.x.x.209, eth-s4p1c0, cost 0, age 31245795 via x.x.x.210, eth-s4p1c0 Does anyone know if Palo Alto will support the above equal cost/metric default route in the way Check Point does? If we attempt to add the two static routes as above, the commit fails with the error: In virtual-router default, the static route Default-2 metric value 10 is not unique among static routes to destination 0.0.0.0/0.(Module: routed) Config commit phase 1 aborted(Module: device) Commit failed If we are not able to duplicate the Check Point routing, we believe this would mean sending all outbound traffic on a single default route to a single upstream router IP address, and essentially loose the ability to load share the two upstream Internet circuits thus loosing 50% of outbound bandwidth. Does anyone have any suggestions on our scenario?
... View more