Configure a static route or a default route for a virtual
router.
Perform the following task to configure Static Routes or a default
route for a virtual router on the firewall.
Configure a static route.
Select NetworkVirtual Router and select the
virtual router you are configuring, such as default.
Select the Static Routes tab.
Select IPv4 or IPv6,
depending on the type of static route you want to configure.
Add a Name for
the route. The name must start with an alphanumeric character and
can contain a combination of alphanumeric characters, underscore
(_), hyphen (-), dot (.), and space. Beginning with PAN-OS 10.0.8,
the name can be a maximum of 63 characters.
For Destination, enter the
route and netmask (for example, 192.168.2.2/24 for an IPv4 address
or 2001:db8:123:1::1/64 for an IPv6 address). If you’re creating
a default route, enter the default route (0.0.0.0/0 for an IPv4
address or ::/0 for an IPv6 address). Alternatively, you can create
an address object of type IP Netmask.
(Optional) For Interface,
specify the outgoing interface for packets to use to go to the next
hop. Use this for stricter control over which interface the firewall
uses rather than the interface in the route table for the next hop
of this route.
For Next Hop, select one of
the following:
IP Address—Enter the IP
address (for example, 192.168.56.1 or 2001:db8:49e:1::1) when you
want to route to a specific next hop. You must Enable
IPv6 on the interface (when you Configure Layer 3 Interfaces)
to use an IPv6 next hop address. If you’re creating a default route,
for Next Hop you must select IP
Address and enter the IP address for your Internet gateway
(for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively,
you can create an address object of type IP Netmask. The address
object must have a netmask of /32 for IPv4 or /128 for IPv6.
Next VR—Select this option and then
select a virtual router if you want to route internally to a different
virtual router on the firewall.
FQDN—Enter an FQDN or select an address
object that uses an FQDN, or create a new address object of type
FQDN.
If you use an FQDN as a static route next hop,
that FQDN must resolve to an IP address that belongs to the same
subnet as the interface you configured for the static route; otherwise,
the firewall rejects the resolution and the FQDN remains unresolved.
The
firewall uses only one IP address (from each IPv4 or IPv6 family
type) from the DNS resolution of the FQDN. If the DNS resolution
returns more than one address, the firewall uses the preferred IP
address that matches the IP family type (IPv4 or IPv6) configured
for the next hop. The preferred IP address is the first address
the DNS server returns in its initial response. The firewall retains
this address as preferred as long as the address appears in subsequent
responses, regardless of its order.
Discard—Select to drop packets that
are addressed to this destination.
None—Select if there is no next hop
for the route. For example, a point-to-point connection does not
require a next hop because there is only one way for packets to
go.
Enter an Admin Distance for
the route to override the default administrative distance set for
static routes for this virtual router (range is 10 to 240; default
is 10).
Enter a Metric for the route
(range is 1 to 65,535).
Choose where to install the route.
Select the Route Table (the RIB)
into which you want the firewall to install the static route:
Unicast—Install the route
in the unicast route table. Choose this option if you want the route
used only for unicast traffic.
Multicast—Install the route in the
multicast route table (available for IPv4 routes only). Choose this
option if you want the route used only for multicast traffic.
Both—Install the route in the unicast
and multicast route tables (available for IPv4 routes only). Choose
this option if you want either unicast or multicast traffic to use
the route.
No Install—Do not install the route
in either route table.
(Optional) If your firewall model supports BFD,
you can apply a BFD Profile to the static
route so that if the static route fails, the firewall removes the
route from the RIB and FIB and uses an alternative route. Default
is None.