Managing routes is an essential configuration task for network admins who are managing firewalls.
If you are using the PaloAlto firewall, this tutorial explains how to add static routes using both the PAN-OS command line interface and from the PaloAlto Firewall Console.
1. CLI – View Current Routes
Before adding a route, view all current routes from PAN-OS CLI as shown below using show routing command.
admin@PA-VM> show routing route type static
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip,
O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1,
O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.0.1 10 A S ethernet1/1
total routes shown: 1
As you see from the above output, it currently has only the default route which will route all traffic to 192.168.0.1 next hop.
In the next few examples, let us add another default route and two application specific routes.
On a related topic, to manage policies from CLI refer to: 15 PaloAlto CLI Examples to Manage Security and NAT Policies
2. CLI – Add a Default Static Route
To add a default static route, first go to the configure mode as shown below.
admin@PA-VM> configure Entering configuration mode admin@PA-VM#
From the configure mode, execute set network virtual-router command as shown below to add the default static route.
set network virtual-router default routing-table \ ip static-route Default \ interface ethernet1/1 \ destination 0.0.0.0/0 \ nexthop ip-address 192.168.102.1
- set network virtual-router default routing-table ip static-route – This indicates that you are adding a static route
- Default – This keyword is important and indicates that you are adding the Default route
- interface ethernet1/1 – This indicates that you are adding the static route on the ethernet1/1 interface
- destination 0.0.0.0/0 nexthop ip-address 192.168.102.1 – This contains the details of the static route that is getting added along with destination and nexthop ip address.
After you execute the above command, when you execute “show routing route type static”, you’ll still not see the new route that you added until it is committed. But, if you login to console you’ll see the route that is still not yet committed.
3. CLI – Add Additional Application Specific Static Routes
Let us see you want to add two different routes one to Application Subnet which is called as “ToAppSubnet”, and another route to Database Subnet which is called as “ToDBSubnet”.
The following command adds the “ToAppSubnet” application specific static route.
set network virtual-router default routing-table \ ip static-route ToAppSubnet \ interface ethernet1/2 \ destination 192.168.0.0/24 \ nexthop ip-address 192.168.101.1
- set network virtual-router default routing-table ip static-route – This indicates that you are adding a static route
- ToAppSubnet – This is the custom name that you are specifying to this specific route
- interface ethernet1/2 – This indicates that you are adding the static route on the ethernet1/2 interface
- destination 192.168.0.0/24 nexthop ip-address 192.168.101.1 – This contains the details of the static route that is getting added along with destination and nexthop ip address.
Similar to the above command, the following adds the “ToDBSubnet” application specific static route.
set network virtual-router default routing-table \ ip static-route ToDBSubnet \ interface ethernet1/2 \ destination 192.167.0.0/24 \ nexthop ip-address 192.168.101.1
4. CLI – Commit to Save Static Routes
After a static route is added, don’t forget to execute the commit command as shown below to save your changes.
# commit Commit job 2 is in progress. Use Ctrl+C to return to command prompt ......100% Configuration committed successfully
Note: You might get a warning message similar to the following.
Static route Default next hop IP 192.168.102.1 is not in subnet of outgoing interface ethernet1/1 (Module: routed) Static route ToAppSubnet next hop IP 192.168.101.1 is not in subnet of outgoing interface ethernet1/2 (Module: routed) Static route ToDBSubnet next hop IP 192.168.101.1 is not in subnet of outgoing interface ethernet1/2 (Module: routed) Warning: No valid threat content package exists Warning: No valid Antivirus content package exists (Module: device)
5. CLI – View Routes after Commit
At this stage, if you execute the show routing command, you’ll see the 3 new routes that we just added as shown below.
admin@PA-VM> show routing route type static
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal,
R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area,
O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 192.168.0.1 10 S E ethernet1/1
0.0.0.0/0 192.168.102.1 10 A S E ethernet1/1
192.167.0.0/24 192.168.101.1 10 A S ethernet1/2
192.168.0.0/24 192.168.101.1 10 A S ethernet1/2
total routes shown: 4
6. Console – View Current Routes
To view the current routes from the Console, click on the “Network” Tab on the top, Click on “Virtual Routers” from the side menu bar, Click on “default” on the Name column as shown below.
![[PaloAlto Virtual Routers Default]](https://static.thegeekstuff.com/wp-content/uploads/2021/03/1-paloalto-virtual-routers-default.png)
The default default router will open a pop-up window. In this pop-up, on the side menu bar, Click on “Static Routes” as shown below. Currently this doesn’t have any custom static routes as shown below.
![[PaloAlto Virtual Router Static Routes]](https://static.thegeekstuff.com/wp-content/uploads/2021/03/2-paloalto-virtual-router-static-routes.png)
On a related topic, to upgrade your software refer to: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console
7. Console – Add Additional Application Specific Static Routes
To add application specific static routes: Network Tab – Virtual Routes – Default – Static Routes – IPv4 Tab – Click on “Add” at the bottom of the empty table (See the picture from the previous example)
This will open the Static Route pop-up as shown below. Enter the Name (ToAppSubnet), Destination, Interface (Select ethernet1/2), Next Hop (Select IP Address from drop-down), Enter the ip-address as shown below.
![[PaloAlto Console Add Static Route]](https://static.thegeekstuff.com/wp-content/uploads/2021/03/3-paloalto-console-add-static-route.png)
Using the same steps explained above, add the Default route and “ToDBSubnet” static route.
8. Console – View New Routes and Commit
Once you’ve added the new static routes, go to Network Tab – View Routers – You’ll see under Configuration column for the default router, it says “Static Route: 3”
![[PaloAlto Static Routes Total Count]](https://static.thegeekstuff.com/wp-content/uploads/2021/03/4-paloalto-static-routes-count.png)
Click on the “default” under the Name column – Static Routes on the side tab – Click on IPv4 tab. This will list all the three new static routes that we just added as shown below. Once you’ve reviewed the new routes and everything looks good, make sure to commit the changes from the console.
![[PaloAlto View New Static Routes]](https://static.thegeekstuff.com/wp-content/uploads/2021/03/5-paloalto-view-new-static-routes.png)
My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to write articles that will either teach you or help you resolve a problem. Read more about