Configure a Static Route
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure a Static Route
Configure a static route or a default route for a virtual
router.
Perform the following task to configure Static Routes or a default
route for a virtual router on the firewall.
- Configure a static route.
- Select NetworkVirtual Router and select the virtual router you are configuring, such as default.Select the Static Routes tab.Select IPv4 or IPv6, depending on the type of static route you want to configure.Add a Name (a maximum of 63 characters) for the route. The name must start with an alphanumeric character and can contain a combination of alphanumeric characters, underscore (_), hyphen (-), dot (.), and space.For Destination, enter the route and netmask (for example, 192.168.2.2/24 for an IPv4 address or 2001:db8:123:1::1/64 for an IPv6 address). If you’re creating a default route, enter the default route (0.0.0.0/0 for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can create an address object of type IP Netmask.(Optional) For Interface, specify the outgoing interface for packets to use to go to the next hop. Use this for stricter control over which interface the firewall uses rather than the interface in the route table for the next hop of this route.For Next Hop, select one of the following:
- IP Address—Enter the IP address (for example, 192.168.56.1 or 2001:db8:49e:1::1) when you want to route to a specific next hop. You must Enable IPv6 on the interface (when you Configure Layer 3 Interfaces) to use an IPv6 next hop address. If you’re creating a default route, for Next Hop you must select IP Address and enter the IP address for your Internet gateway (for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively, you can create an address object of type IP Netmask. The address object must have a netmask of /32 for IPv4 or /128 for IPv6.While configuring static routes for a virtual router on the firewall, you can enter an IP address for the Next Hop router. Palo Alto Networks firewall treats the Next Hop IP address as an address object. Therefore, if you configure the Next Hop IP address (NetworkVirtual RouterStatic Routes) value same as the configured Address object name (ObjectsAddresses), then any modifications to the address object will reflect in the Next Hop IP address value also. That is, renaming the address object (ObjectsAddresses) will also rename the Next Hop IP address.
- Next VR—Select this option and then select a virtual router if you want to route internally to a different virtual router on the firewall.
- FQDN—Enter an FQDN or select an address object that uses an FQDN, or create a new address object of type FQDN.If you use an FQDN as a static route next hop, that FQDN must resolve to an IP address that belongs to the same subnet as the interface you configured for the static route; otherwise, the firewall rejects the resolution and the FQDN remains unresolved.The firewall uses only one IP address (from each IPv4 or IPv6 family type) from the DNS resolution of the FQDN. If the DNS resolution returns more than one address, the firewall uses the preferred IP address that matches the IP family type (IPv4 or IPv6) configured for the next hop. The preferred IP address is the first address the DNS server returns in its initial response. The firewall retains this address as preferred as long as the address appears in subsequent responses, regardless of its order.
- Discard—Select to drop packets that are addressed to this destination.
- None—Select if there is no next hop for the route. For example, a point-to-point connection does not require a next hop because there is only one way for packets to go.
Enter an Admin Distance for the route to override the default administrative distance set for static routes for this virtual router (range is 10 to 240; default is 10).Enter a Metric for the route (range is 1 to 65,535).Choose where to install the route.Select the Route Table (the RIB) into which you want the firewall to install the static route:- Unicast—Install the route in the unicast route table. Choose this option if you want the route used only for unicast traffic.
- Multicast—Install the route in the multicast route table (available for IPv4 routes only). Choose this option if you want the route used only for multicast traffic.
- Both—Install the route in the unicast and multicast route tables (available for IPv4 routes only). Choose this option if you want either unicast or multicast traffic to use the route.
- No Install—Do not install the route in either route table.
(Optional) If your firewall model supports BFD, you can apply a BFD Profile to the static route so that if the static route fails, the firewall removes the route from the RIB and FIB and uses an alternative route. Default is None.Click OK twice.Commit the configuration.