Enable Advanced Routing

PAN-OS 10.2 supports an Advanced Routing Engine.
Although a supported firewall can have a configuration that uses the legacy routing engine and a configuration that uses the Advanced Routing Engine, only one routing engine is in effect at a time. Each time you change the engine that the firewall will use (you enable or disable Advanced Routing to access the advanced engine or legacy engine, respectively), you must commit the configuration and reboot the firewall for the change to take effect.
Before you switch to the Advanced Routing Engine, make a backup of your current configuration.
Similarly, if you configure Panorama with a template that enables or disables Advanced Routing, after you commit and push the template to devices, you must reboot the devices in the template for the change to take effect.
When configuring Panorama, create device groups and Templates for devices that all use the same Advanced Routing setting (all enabled or all disabled). Panorama won’t push configurations with Advanced Routing enabled to lower-end firewalls that don’t support Advanced Routing. For those firewalls, Panorama will push a legacy configuration if one is present.
The Advanced Routing Engine supports multiple logical routers (known as virtual routers on the legacy routing engine). The number of logical routers supported depends on the firewall model and is the same as the number of virtual routers supported on the legacy routing engine. The Advanced Routing Engine has more convenient menu options and there are many settings that you can easily configure in a profile (authentication, timers, address family, or redistribution profile) that you apply to a BGP peer group or peer, for example. There are also many static route, OSPF, OSPFv3, RIPv2, multicast, and BFD settings on the Advanced Routing Engine.
The Advanced Routing Engine supports RIB filtering, which means you can create a route map to match static routes or routes received from other routing protocols and thus filter which routes are installed in the RIB for the logical router. This function is useful on firewalls with a smaller RIB or FIB capacity; you can still propagate the necessary routing updates without using memory needed elsewhere.
  1. Make a backup of your current configuration before you enable Advanced Routing.
  2. Enable the Advanced Routing Engine.
    1. Select
      Device
      Setup
      Management
      and edit the General Settings.
    2. Enable
      Advanced Routing
      .
    3. Before you click OK, make sure you have made a backup of your configuration for the legacy routing engine.
    4. Click
      OK
      .
    5. A message about preview mode appears; click
      Yes
      to proceed.
    6. Commit
      .
    7. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  3. Log back into the firewall.
  4. Select
    Network
    .
    Notice the menu items, which are more industry-standard and more detailed than the single item (Virtual Routers) on the legacy menu.
    Routing
    includes
    Logical Routers
    and
    Routing Profiles
    , which include
    BGP
    ,
    BFD
    ,
    OSPF
    ,
    OSPFv3
    ,
    RIPv2
    ,
    Filters
    , and
    Multicast
    .
  5. Select
    Interfaces
    and configure one or more Layer 3 interfaces with a static IP address or Configure an Interface as a DHCP Client.
  6. (
    Optional
    ) Create an Admin Role Profile to control granular access to logical routers and routing profiles for an Advanced Routing Engine.
    1. Select
      Device
      Admin Roles
      and
      Add
      an Admin Role Profile by
      Name
      .
    2. Select
      Web UI
      .
    3. Enable
      ,
      Disable
      , or select
      Read Only
      the following options:
      Network
      ,
      Routing
      ,
      Logical Routers
      ,
      Routing Profiles
      ,
      BGP
      ,
      BFD
      ,
      OSPF
      ,
      OSPFv3
      ,
      RIPv2
      ,
      Filters
      , and
      Multicast
      (default is Enable).
    4. Click
      OK
      .
    5. Assign the role to an administrator. Configure a Firewall Administrator Account.
  7. Commit
    the changes.

Recommended For You