Next-Generation Firewall
Configure a Logical Router
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Logical Router
Configure a logical router to obtain Layer 3 routes to
other subnets.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
One of these:
|
The firewall uses logical routers to obtain
Layer 3 routes to other subnets by you manually defining static
routes or through participation in one or more Layer 3 routing protocols
(dynamic routes). The routes the firewall obtains through these
methods populate the IP routing information base (RIB) on the firewall.
When a packet is destined for a different subnet, than the one it
arrived on, the logical router obtains the best route from the RIB,
places it in the forwarding information base (FIB), and forwards
the packet to the next hop router defined in the FIB. The firewall
uses Ethernet switching to reach other devices on the same IP subnet.
The
The Ethernet, VLAN, and tunnel interfaces defined on the firewall receive and forward Layer 3
packets. The destination zone is derived from the outgoing interface based on the
forwarding criteria, and the firewall consults policy rules to identify the Security
policies that it applies to each packet. In addition to routing to other network
devices, logical routers can route to other logical routers within the same firewall
if a next hop is specified to point to another logical router.
You can configure Layer 3 interfaces to
participate with dynamic routing protocols (BGP, OSPF, OSPFv3, or RIP) as well as
add static routes. You can also create multiple logical routers, each maintaining a
separate set of routes that aren’t shared between logical routers, enabling you to
configure different routing behaviors for different interfaces.
- Log in to Strata Cloud Manager.Select ManageConfigurationNGFW and Prisma AccessDevice SettingsRoutingLogical Routers and select the Configuration Scope where you want to create the logical router.You can select a folder or firewall from your Folders or select Snippets to configure the logical router in a snippet.The number of logical routers supported varies based on the firewall model. If you create multiple logical routers for a folder or snippet, verify that the firewalls associated with the folder or snippet support the number of logical routers you configure.Add Router.Enter a descriptive Name.A maximum of 31 characters are supported. The name must start with an alphanumeric character, underscore (_), or hyphen (-) and can contain a combination of alphanumeric characters, underscore (_), or hyphen (-). A dot (.) or space isn’t supported.(Optional) Configure Equal Cost Multiple Path (ECMP) processing.Enabling this setting enables the firewall to use up to four equal-cost routes to the same destination.
- Enable ECMP.Set the ECMP Max Path to specify the maximum number of equal-cost paths that can be copied from the RIB to the FIB.Default is 2. 2, 3, or 4 are supported.Enable Symmetric Return of packets from server to client.Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. The Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.Enable Strict Source Path o ensure that IKE and IPSec traffic originating at the firewall egresses the physical interface to which the source IP address of the IPSec tunnel belongs.When you enable ECMP, IKE and IPSec traffic originating at the firewall by default egresses an interface that an ECMP load-balancing method determines. Alternatively, you can ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs, by enabling Strict Source Path. You would enable this function when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that wouldn’t be what the ISP expects and the ISP could block legitimate return traffic. In this case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs, the RPF check succeeds, and the ISP allows the return traffic.Specify the load-balance Action for the logical router.
- Balanced Round Robin (default)—Uses round-robin among the ECMP paths and rebalances paths when the number of paths changes.
- IP Hash—Use a hash of the source and destination IP addresses to determine which ECMP route to use.If you select this option, can select to Use Source Address Only and Use Source/Destination port for hash.
- IP Modulo—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
- Weighted Round Robin—Uses round-robin and a relative weight to select from among ECMP paths.