Enable Advanced Routing
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Enable Advanced Routing
PAN-OS 10.2 supports an Advanced Routing Engine.
Although a supported firewall can have a configuration
that uses the legacy routing engine and a configuration that uses
the Advanced Routing Engine, only one routing engine is in effect
at a time. Each time you change the engine that the firewall will use
(you enable or disable Advanced Routing to access the advanced engine
or legacy engine, respectively), you must commit the configuration
and reboot the firewall for the change to take effect.
Before you switch to the Advanced Routing
Engine, make a backup of your current configuration.
Similarly,
if you configure Panorama with a template that enables or disables Advanced
Routing, after you commit and push the template to devices, you
must reboot the devices in the template for the change to take effect.
When configuring Panorama, create device
groups and Templates for devices that all use the same Advanced
Routing setting (all enabled or all disabled). Panorama won’t push
configurations with Advanced Routing enabled to lower-end firewalls
that don’t support Advanced Routing. For those firewalls, Panorama
will push a legacy configuration if one is present.
The
Advanced Routing Engine supports multiple logical routers (known
as virtual routers on the legacy routing engine). The number of
logical routers supported depends on the firewall model and is the
same as the number of virtual routers supported on the legacy routing
engine. The Advanced Routing Engine has more convenient menu options
and there are many settings that you can easily configure in a profile
(authentication, timers, address family, or redistribution profile)
that you apply to a BGP peer group or peer, for example. There are
also many static route, OSPF, OSPFv3, RIPv2, multicast, and BFD
settings on the Advanced Routing Engine.
The Advanced Routing
Engine supports RIB filtering, which means you can create a route
map to match static routes or routes received from other routing
protocols and thus filter which routes are installed in the RIB
for the logical router. This function is useful on firewalls with
a smaller RIB or FIB capacity; you can still propagate the necessary
routing updates without using memory needed elsewhere.
- Make a backup of your current configuration before you enable Advanced Routing.
- Enable the Advanced Routing Engine.
- Selectand edit the General Settings.DeviceSetupManagement
- EnableAdvanced Routing.
- Before you click OK, make sure you have made a backup of your configuration for the legacy routing engine.
- ClickOK.
- (PAN-OS 10.2.0 to 10.2.3) A message about preview mode appears; clickYesto proceed to Commit step.
- (PAN-OS 10.2.4 and later 10.2 releases) A warning appears:SelectYesto have the migration script convert each virtual router to a logical router and migrate your configuration to the advanced routing engine. (SelectSkipto restart the system with an empty configuration. SelectCancelto cancel the process to enable Advanced Routing.)
- ClickOKto approve the migration.
- The virtual routers, links to the logical routers, and their color-coded status are listed. Resolve any issues that require user intervention. SelectContinue
- ClickYesto accept the migrated configuration.
- (PAN-OS 10.2.5 and later 10.2 releases) ClickOK.
- Commitand then selectandDeviceSetupOperationsReboot Device. Then log back into the firewall.If the migration is not successful, generate the technical support file, log in to Palo Alto Networks Customer Support Portal, and report your issues to get help with your product.
- (Optional) After successful migration, you can delete all virtual routers using the configuration mode CLI command:
- Execute the following command to remove all configurations from the legacy routing engine:username@hostname#delete network virtual-router <vr-name>You can delete virtual routers if you are going to make changes in the logical router configuration, which makes the virtual router configuration obsolete, causing commit failures. Although deleting virtual routers will avoid commit failures, be aware that deleting virtual routers will also permanently remove all configuration from the legacy routing engine and you won't be able to get the configuration back.
- Commit the changes to the firewall.username@hostname#commit
When configuring in Panorama, you can selectNetwork > Virtual Routersto delete all virtual routers. Commit the changes and push them to the relevant firewalls before continuing.
- Log back into the firewall.
- SelectNetwork.Notice the menu items, which are more industry-standard and more detailed than the single item (Virtual Routers) on the legacy menu.RoutingincludesLogical RoutersandRouting Profiles, which includeBGP,BFD,OSPF,OSPFv3,RIPv2,Filters, andMulticast.
- SelectInterfacesand configure one or more Layer 3 interfaces with a static IP address or Configure an Interface as a DHCP Client.
- (Optional) Create an Admin Role Profile to control granular access to logical routers and routing profiles for an Advanced Routing Engine.
- SelectandDeviceAdmin RolesAddan Admin Role Profile byName.
- SelectWeb UI.
- Enable,Disable, or selectRead Onlythe following options:Network,Routing,Logical Routers,Routing Profiles,BGP,BFD,OSPF,OSPFv3,RIPv2,Filters, andMulticast(default is Enable).
- ClickOK.
- Assign the role to an administrator. Configure a Firewall Administrator Account.
- Committhe changes.
- Continue by configuring a logical router.If you downgrade from PAN-OS 10.2.5 or 10.2.4-h2 to a previous version, you must remove the SD-WAN virtual interface (VIF) from the logical router configurations before attempting a downgrade procedure.That is, you must select a different interface instead of SD-WAN VIF interface in the followingLogical Routerconfigurations:
- Selectand specify a differentLogical RouterGeneralInterfaceInterface.
- Selectand specify a differentLogical RouterStaticInterface.
- Selectand specify a differentLogical RouterBGPPeer GroupPeerInterfaceforLocal Address.