Network > Routing > Logical Routers > General
Table of Contents
11.2
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Network > Routing > Logical Routers > General
Configure a logical router on an Advanced Routing Engine.
When you enable Advanced Routing (DeviceSetupManagement),
the firewall uses a logical router for static
and dynamic routing. A logical router requires that you assign a name
and Layer 3 interfaces as described in the following table.
You can optionally configure Equal Cost Multiple Path (ECMP)
for the logical router. ECMP processing is a networking feature
that enables the firewall to use up to four equal-cost routes to
the same destination. Without this feature, if there are multiple
equal-cost routes to the same destination, the virtual router chooses
one of those routes from the routing table and adds it to its forwarding
table; it will not use any of the other routes unless there is an
outage in the chosen route. Enabling ECMP functionality on a virtual
router allows the firewall have up to four equal-cost paths to a
destination in its forwarding table, allowing the firewall to:
- Load balance flows (sessions) to the same destination over multiple equal-cost links.
- Make use of the available bandwidth on all links to the same destination rather than leave some links unused.
- Dynamically shift traffic to another ECMP member to the same destination if a link fails, rather than waiting for the routing protocol or RIB table to elect an alternative path, which can help reduce down time when links fail.
ECMP load balancing is done at the session level, not at
the packet level. This means the firewall chooses an equal-cost
path at the start of a new session, not each time the firewall receives
a packet.
Logical Router General Settings | Description |
---|---|
Name | Specify a name to describe the logical router
(up to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, hyphens, and underscores. |
Interface | |
Interface | Add the Layer 3 interfaces that you want
to include in the logical router. These interfaces can be used as
outgoing interfaces in the logical router’s routing table. To
specify the interface type, refer to Network > Interfaces. When
you add an interface to a logical router, its connected routes are
added to the global RIB automatically. |
Administrative Distances | |
Static | Range is 1 to 255; default is 10. |
Static IPv6 | Range is 1 to 255; default is 10. |
OSPF Intra Area | Range is 1 to 255; default is 110. |
OSPF Inter Area | Range is 1 to 255; default is 110. |
OSPF External | Range is 1 to 255; default is 110. |
OSPFv3 Intra Area | Range is 1 to 255; default is 110. |
OSPFv3 Inter Area | Range is 1 to 255; default is 110. |
OSPFv3 External | Range is 1 to 255; default is 110. |
BGP AS Internal | Range is 1 to 255; default is 200. |
BGP AS External | Range is 1 to 255; default is 20. |
BGP Local Route | Range is 1 to 255; default is 20. |
RIP | Range is 1 to 255; default is 120. |
ECMP | |
Enable | Enables Equal-Cost Multiple Path (ECMP)
for the logical router. |
Symmetric Return | (Optional) Select Symmetric Return to
cause return packets to egress out the same interface on which the
associated ingress packets arrived. That is, the firewall will use
the ingress interface on which to send return packets, rather than
use the ECMP interface, so the Symmetric Return setting
overrides load balancing. This behavior occurs only for traffic
flows from the server to the client. |
Strict Source Path | By default, IKE and IPSec traffic originating
at the firewall egresses an interface that the ECMP load-balancing
method determines. Select Strict Source Path to
ensure that IKE and IPSec traffic originating at the firewall always
egresses the physical interface to which the source IP address of
the IPSec tunnel belongs. You would enable Strict Source Path when
the firewall has more than one ISP providing equal-cost paths to
the same destination. The ISPs typically perform a Reverse Path
Forwarding (RPF) check (or a different check to prevent IP address
spoofing) to confirm that the traffic is egressing the same interface
on which it arrived. Because ECMP by default would choose an egress
interface based on the configured ECMP method (instead of choosing
the source interface as the egress interface), that would not be
what the ISP expects and the ISP could block legitimate return traffic.
In this use case, enable Strict Source Path so that the firewall
uses the egress interface that is the interface to which the source
IP address of the IPSec tunnel belongs. |
Max Path | Enter the maximum number of equal-cost paths:
(2, 3, or 4) to a destination network that can be copied from the
RIB to the FIB. Default is 2. |
Load-Balancing Method | Choose one of the following ECMP load-balancing algorithms to
use on the virtual router. ECMP load balancing is done at the session
level, not at the packet level. This means that the firewall (ECMP)
chooses an equal-cost path at the start of a new session, not each
time a packet is received.
|
RIB Filter | |
IPv4 - BGP Route-Map | Select a Redistribution route map or create
a new one to control the IPv4 BGP routes being added to the global
RIB. Default is None. |
IPv4 - OSPFv2 Route-Map | Select a Redistribution route map or create
a new one to control the IPv4 OSPFv2 routes being added to the global
RIB. Default is None. |
IPv4 - Static Route-Map | Select a Redistribution route map or create
a new one to control the IPv4 static routes being added to the global
RIB. Default is None. |
IPv4 - RIP Route-Map | Select a Redistribution route map or create
a new one to control the RIP routes being added to the global RIB.
Default is None. |
IPv6 - BGP Route-Map | Select a Redistribution route map or create
a new one to control the IPv6 BGP routes being added to the global
RIB. Default is None. |
IPv6 - OSPFv3 Route-Map | Select a Redistribution route map or create
a new one to control the IPv6 OSPFv3 routes being added to the global
RIB. Default is None. |
IPv6 - Static Route-Map | Select a Redistribution route map or create
a new one to control the IPv6 static routes being added to the global
RIB. Default is None. |