≡ Menu

8 Examples to Add Static Routes in PAN-OS PaloAlto from CLI and Console

Managing routes is an essential configuration task for network admins who are managing firewalls.

If you are using the PaloAlto firewall, this tutorial explains how to add static routes using both the PAN-OS command line interface and from the PaloAlto Firewall Console.

1. CLI – View Current Routes

Before adding a route, view all current routes from PAN-OS CLI as shown below using show routing command.

admin@PA-VM> show routing route type static

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip,
       O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1,
       O2:ospf ext-type-2, E:ecmp, M:multicast

VIRTUAL ROUTER: default (id 1)
==========
destination  nexthop      metric flags age  interface   next-AS
0.0.0.0/0    192.168.0.1  10     A S        ethernet1/1
total routes shown: 1

As you see from the above output, it currently has only the default route which will route all traffic to 192.168.0.1 next hop.

In the next few examples, let us add another default route and two application specific routes.

On a related topic, to manage policies from CLI refer to: 15 PaloAlto CLI Examples to Manage Security and NAT Policies

2. CLI – Add a Default Static Route

To add a default static route, first go to the configure mode as shown below.

admin@PA-VM> configure
Entering configuration mode
admin@PA-VM#

From the configure mode, execute set network virtual-router command as shown below to add the default static route.

set network virtual-router default routing-table \
  ip static-route Default \
  interface ethernet1/1 \
  destination 0.0.0.0/0 \
  nexthop ip-address 192.168.102.1
  • set network virtual-router default routing-table ip static-route – This indicates that you are adding a static route
  • Default – This keyword is important and indicates that you are adding the Default route
  • interface ethernet1/1 – This indicates that you are adding the static route on the ethernet1/1 interface
  • destination 0.0.0.0/0 nexthop ip-address 192.168.102.1 – This contains the details of the static route that is getting added along with destination and nexthop ip address.

After you execute the above command, when you execute “show routing route type static”, you’ll still not see the new route that you added until it is committed. But, if you login to console you’ll see the route that is still not yet committed.

3. CLI – Add Additional Application Specific Static Routes

Let us see you want to add two different routes one to Application Subnet which is called as “ToAppSubnet”, and another route to Database Subnet which is called as “ToDBSubnet”.

The following command adds the “ToAppSubnet” application specific static route.

set network virtual-router default routing-table \
  ip static-route ToAppSubnet \
  interface ethernet1/2 \
  destination 192.168.0.0/24 \
  nexthop ip-address 192.168.101.1
  • set network virtual-router default routing-table ip static-route – This indicates that you are adding a static route
  • ToAppSubnet – This is the custom name that you are specifying to this specific route
  • interface ethernet1/2 – This indicates that you are adding the static route on the ethernet1/2 interface
  • destination 192.168.0.0/24 nexthop ip-address 192.168.101.1 – This contains the details of the static route that is getting added along with destination and nexthop ip address.

Similar to the above command, the following adds the “ToDBSubnet” application specific static route.

set network virtual-router default routing-table \
  ip static-route ToDBSubnet \
  interface ethernet1/2 \
  destination 192.167.0.0/24 \
  nexthop ip-address 192.168.101.1

4. CLI – Commit to Save Static Routes

After a static route is added, don’t forget to execute the commit command as shown below to save your changes.

# commit
Commit job 2 is in progress. Use Ctrl+C to return to command prompt
......100% Configuration committed successfully

Note: You might get a warning message similar to the following.

Static route Default next hop IP 192.168.102.1 is not in subnet of outgoing interface ethernet1/1
(Module: routed)
Static route ToAppSubnet next hop IP 192.168.101.1 is not in subnet of outgoing interface ethernet1/2
(Module: routed)
Static route ToDBSubnet next hop IP 192.168.101.1 is not in subnet of outgoing interface ethernet1/2
(Module: routed)
Warning: No valid threat content package exists
Warning: No valid Antivirus content package exists
(Module: device)

5. CLI – View Routes after Commit

At this stage, if you execute the show routing command, you’ll see the 3 new routes that we just added as shown below.

admin@PA-VM> show routing route type static

flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal,
       R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area,
       O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast

VIRTUAL ROUTER: default (id 1)
==========
destination     nexthop        metric flags  age   interface    next-AS
0.0.0.0/0       192.168.0.1    10       S E        ethernet1/1
0.0.0.0/0       192.168.102.1  10     A S E        ethernet1/1
192.167.0.0/24  192.168.101.1  10     A S          ethernet1/2
192.168.0.0/24  192.168.101.1  10     A S          ethernet1/2
total routes shown: 4

6. Console – View Current Routes

To view the current routes from the Console, click on the “Network” Tab on the top, Click on “Virtual Routers” from the side menu bar, Click on “default” on the Name column as shown below.

[PaloAlto Virtual Routers Default]

The default default router will open a pop-up window. In this pop-up, on the side menu bar, Click on “Static Routes” as shown below. Currently this doesn’t have any custom static routes as shown below.

[PaloAlto Virtual Router Static Routes]

On a related topic, to upgrade your software refer to: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console

7. Console – Add Additional Application Specific Static Routes

To add application specific static routes: Network Tab – Virtual Routes – Default – Static Routes – IPv4 Tab – Click on “Add” at the bottom of the empty table (See the picture from the previous example)

This will open the Static Route pop-up as shown below. Enter the Name (ToAppSubnet), Destination, Interface (Select ethernet1/2), Next Hop (Select IP Address from drop-down), Enter the ip-address as shown below.

[PaloAlto Console Add Static Route]

Using the same steps explained above, add the Default route and “ToDBSubnet” static route.

8. Console – View New Routes and Commit

Once you’ve added the new static routes, go to Network Tab – View Routers – You’ll see under Configuration column for the default router, it says “Static Route: 3”

[PaloAlto Static Routes Total Count]

Click on the “default” under the Name column – Static Routes on the side tab – Click on IPv4 tab. This will list all the three new static routes that we just added as shown below. Once you’ve reviewed the new routes and everything looks good, make sure to commit the changes from the console.

[PaloAlto View New Static Routes]

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 0 comments… add one }

Leave a Comment