Document:PAN-OS® Networking Administrator’s Guide

Create a Static Route

Download PDF

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Create a Static Route

Create a static route for a logical router on an Advanced Routing Engine.

Configure a Logical Router.

Create a static route.

Select

Network

Routing

Logical Routers

and select the logical router.

Select

Static

and

Add

IPv4

IPv6

static route by

Name

(maximum of 63 characters). The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a combination of alphanumeric characters, underscore, or hyphen. No dot (.) or space is allowed.

For

Destination

, enter the route and netmask (for example, 192.168.2.0/24 for an IPv4 address or 2001:db8:123:1::0/64 for an IPv6 address). If you’re creating a default route, enter the default route (0.0.0.0/0 for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can select or create an address object of type IP Netmask.

For

Interface

, specify the outgoing interface for packets to use to go to the next hop. Specifying an interface provides stricter control over which interface the firewall uses rather than using the interface in the route table for the next hop of this static route.

For

Next Hop

, select one of the following:

IP Address

IPv6 Address

—Enter the IP address (for example, 192.168.56.1 or 2001:db8:49e:1::1) when you want to route to a specific next hop. You must

Enable IPv6 on the interface

(when you Configure Layer 3 Interfaces) to use an IPv6 next hop address. If you’re creating a default route, for

Next Hop

you must select

IP Address

and enter the IP address for your internet gateway (for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively, you can create an address object of type IP Netmask. The address object must have a netmask of /32 for IPv4 or /128 for IPv6.

Next LR

—Select to make the next logical router (in the list of logical routers) the next hop.

FQDN

—Enter a Fully Qualified Domain Name.

Discard

—Select to drop packets that are addressed to this destination.

None

—Select if there is no next hop for the route. For example, a point-to-point connection does not require a next hop because there is only one way for packets to go.

Enter the

Admin Dist

for the static route (range is 10 to 240; default is 10). This value overrides the

Static

Static IPv6

administrative distance specified for the logical router.

Enter a

Metric

for the static route (range is 1 to 65,535; default is 10).

(Optional) If you want to use BFD, select a

BFD Profile

you created, or select the

default

profile, or create a BFD profile to apply to the static route; default is

None (Disable BFD)

(Optional) Configure path monitoring for the static route; you can monitor up to 128 static routes.

Select

Path Monitoring

to allow configuration of path monitoring (default is disabled).

Enable

path monitoring (default is disabled).

Failure Condition

determines whether path monitoring for the static route is based on one (any) or all monitored destinations. Select whether

Any

All

of the monitored destinations for the static route must be unreachable by ICMP for the firewall to remove the static route from the RIB and FIB and add the static route that has the next lowest metric (going to the same destination) to the FiB.

Select

All

to avoid the possibility of any single monitored destination signaling a route failure when the destination is simply offline for maintenance, for example.

(Optional) Specify the

Preemptive Hold Time (min)

, the number of minutes a downed path monitor must remain in Up state before the firewall reinstalls the static route into the RIB; range is 0 to 1,440; default is 2. A setting of 0 (zero) causes the firewall to reinstall the route into the RIB immediately upon the path monitor coming up.

The path monitor evaluates all of its monitored destinations for the static route and comes up based on the

Any

All

failure condition. If a link goes down or flaps during the hold time, when the link comes back up, the path monitor resumes and the Preemptive Hold Time is reset, causing the timer to restart from zero.

Add

a path monitoring destination by

Name

Enable

the path monitoring destination.

For

Source IP

, select the IP address that the firewall uses in the ICMP ping to the monitored destination:

If an interface has multiple IP addresses, select one.

If you select an interface, the firewall uses the first IP address assigned to the interface by default.

If you select

DHCP (Use DHCP Client address)

, the firewall uses the address that DHCP assigned to the interface. To see the DHCP address, select

Network

Interfaces

Ethernet

and in the row for the Ethernet interface, click on

Dynamic DHCP Client

. The IP Address displays in the Dynamic IP Interface Status window.

For

Destination IP

, enter an IP address or address object to which the firewall will monitor the path. The monitored destination and static route destination must use the same address family (IPv4 or IPv6).

The destination IP address should belong to a reliable endpoint; you shouldn’t base path monitoring on a device that itself is unstable or unreliable.

(Optional) Specify the ICMP

Ping Interval (sec)

in seconds to determine how frequently the firewall monitors the path (range is 1 to 60; default is 3).

(Optional) Specify the ICMP

Ping Count

of packets that don’t return from the destination before the firewall considers the static route down and removes it from the RIB and FIB (range is 3 to 10; default is 5).

Click

to save the path monitor destination.

Click

twice to save the static route.

(Optional) Control the static routes that are placed in the global RIB.

You might configure static routes and redistribute them, but not want them in the protocol’s local route table or global RIB. You might want to add only specific static routes to the global RIB.

Select

Network

Routing

Logical Routers

and select a logical router.

Select

RIB Filter

to allow routes into or prevent routes from being added to the global RIB.

To filter IPv4 static routes and connected routes, for

Static Route-Map

, select a Redistribution Route Map or create a new one.

To filter IPv6 static routes and connected routes, for

Static Route-Map

, select a Redistribution Route Map or create a new one.

Click

(Optional) Change the default administrative distances for static IPv4 and static IPv6 routes within a logical router.

Commit

the changes.

Access the CLI to view the static route path monitor:

show advanced-routing static-route-path-monitor

. The PAN-OS CLI Quick Start lists additional commands in the CLI Cheat Sheet: Networking.

Document:PAN-OS® Networking Administrator’s Guide

Create a Static Route

Table of Contents

Create a Static Route

Most Popular

Recommended For You

Document:PAN-OS® Networking Administrator’s Guide

Create a Static Route

Table of Contents

Create a Static Route

Most Popular

Recommended For You

Recommended Videos