Configure a Static Route
Focus
Focus

Configure a Static Route

Table of Contents

Configure a Static Route

Configure a static route or a default route for a virtual router.
Perform the following task to configure Static Routes or a default route for a virtual router on the firewall.
  1. Configure a static route.
    1. Select
      Network
      Virtual Router
      and select the virtual router you are configuring, such as
      default
      .
    2. Select the
      Static Routes
      tab.
    3. Select
      IPv4
      or
      IPv6
      , depending on the type of static route you want to configure.
    4. Add
      a
      Name
      (a maximum of 63 characters) for the route. The name must start with an alphanumeric character and can contain a combination of alphanumeric characters, underscore (_), hyphen (-), dot (.), and space.
    5. For
      Destination
      , enter the route and netmask (for example, 192.168.2.2/24 for an IPv4 address or 2001:db8:123:1::1/64 for an IPv6 address). If you’re creating a default route, enter the default route (0.0.0.0/0 for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can create an address object of type IP Netmask.
    6. (
      Optional
      ) For
      Interface
      , specify the outgoing interface for packets to use to go to the next hop. Use this for stricter control over which interface the firewall uses rather than the interface in the route table for the next hop of this route.
    7. For
      Next Hop
      , select one of the following:
      • IP Address
        —Enter the IP address (for example, 192.168.56.1 or 2001:db8:49e:1::1) when you want to route to a specific next hop. You must
        Enable IPv6 on the interface
        (when you Configure Layer 3 Interfaces) to use an IPv6 next hop address. If you’re creating a default route, for
        Next Hop
        you must select
        IP Address
        and enter the IP address for your Internet gateway (for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively, you can create an address object of type IP Netmask. The address object must have a netmask of /32 for IPv4 or /128 for IPv6.
        While configuring static routes for a virtual router on the firewall, you can enter an IP address for the Next Hop router. Palo Alto Networks firewall treats the
        Next Hop
        IP address as an address object. Therefore, if you configure the Next Hop IP address (
        Network
        Virtual Router
        Static Routes
        ) value same as the configured Address object name (
        Objects
        Addresses
        ), then any modifications to the address object will reflect in the
        Next Hop
        IP address value also. That is, renaming the address object (
        Objects
        Addresses
        ) will also rename the Next Hop IP address.
      • Next VR
        —Select this option and then select a virtual router if you want to route internally to a different virtual router on the firewall.
      • FQDN
        —Enter an FQDN or select an address object that uses an FQDN, or create a new address object of type FQDN.
        If you use an FQDN as a static route next hop, that FQDN must resolve to an IP address that belongs to the same subnet as the interface you configured for the static route; otherwise, the firewall rejects the resolution and the FQDN remains unresolved.
        The firewall uses only one IP address (from each IPv4 or IPv6 family type) from the DNS resolution of the FQDN. If the DNS resolution returns more than one address, the firewall uses the preferred IP address that matches the IP family type (IPv4 or IPv6) configured for the next hop. The preferred IP address is the first address the DNS server returns in its initial response. The firewall retains this address as preferred as long as the address appears in subsequent responses, regardless of its order.
      • Discard
        —Select to drop packets that are addressed to this destination.
      • None
        —Select if there is no next hop for the route. For example, a point-to-point connection does not require a next hop because there is only one way for packets to go.
    8. Enter an
      Admin Distance
      for the route to override the default administrative distance set for static routes for this virtual router (range is 10 to 240; default is 10).
    9. Enter a
      Metric
      for the route (range is 1 to 65,535).
  2. Choose where to install the route.
    Select the
    Route Table
    (the RIB) into which you want the firewall to install the static route:
    • Unicast
      —Install the route in the unicast route table. Choose this option if you want the route used only for unicast traffic.
    • Multicast
      —Install the route in the multicast route table (available for IPv4 routes only). Choose this option if you want the route used only for multicast traffic.
    • Both
      —Install the route in the unicast and multicast route tables (available for IPv4 routes only). Choose this option if you want either unicast or multicast traffic to use the route.
    • No Install
      —Do not install the route in either route table.
  3. (
    Optional
    ) If your firewall model supports BFD, you can apply a
    BFD Profile
    to the static route so that if the static route fails, the firewall removes the route from the RIB and FIB and uses an alternative route. Default is
    None
    .
  4. Click
    OK
    twice.
  5. Commit
    the configuration.

Recommended For You