PANW: Dynamic Routing between Logical Routers

How to route traffic between multiple logical routers aka Inter-LR Routing on a Palo Alto Networks Strata firewall? More precisely, inclusive route redistribution rather than a few static routes. –> Via iBGP through loopback interfaces. ✅ Let’s go:

Setup Notes

  • The advanced routing engine (ARE) is in place 👍🏻, hence: “logical routers” (LR) rather than legacy “virtual routers” (VR).
  • Each LR has a loopback interface and requires a static route of type “next-lr” to the loopback interface of the *other* LR. This is the internal-routing-path-trick. ;)
  • A security policy must allow “bgp” between the zones of those loopback interfaces.
  • Internal BGP (iBGP) is used for this setup. The “Next Hop: Self” property must be set between those peers to route all traffic through these loopback interfaces.
  • All further security policies for normal data traffic are built upon the original source-/destination zones of the data interfaces. No special external zones nor additional policies are required! This is great and keeps it simple. From a security policy’s point of view, it behaves like one single routing process. (Note that this is different compared to inter-VSYS routing which requires special “External” zones and a policy in each VSYS.)
  • Interestingly (consequently?), this internal hop is *not* visible via traceroute.
  • If you have more than 2 LRs, you must set up a full mesh between all LRs and their loopback interfaces. Internal routing from LR1 via LR2 to LR3 is not supported.
  • BGP can be used as a dynamic routing protocol for this inter-LR routing since BGP neighbouring can be done via static routes. This is not possible for OSPF. If you want to use OSPF for inter-LR routing, you have to use hardware interfaces rather than loopback interfaces. This won’t scale, obviously.
  • Used equipment for this post: PA-440 with PAN-OS 11.2.0, “Advanced Routing” enabled; AS 64512
    • The left LR, “default”, redistributes its connected and static routes to BGP.
    • The right LR, “service-provider”, is connected to a Cisco router (2811 with IOS 15.1(4)M12a) via eBGP, AS 64513, and automatically sends these routes through the BGP process to the left LR. No explicit redistribution is required.
    • I’m following the best practice for dual-stack BGP scenarios, that is: IPv6-neighbours for IPv6-routes; and IPv4-neighbours for IPv4-routes.

A picture is worth a thousand words:

Screenshot Guide

Good luck. 😂 I’m not showing everything here. Everything that is done within the “default” LR is mirrored in the “service-provider” LR as well, though not explicitly screenshotted.

Show Notes

“More Runtime Stats” from the “service-provider” LR, right-hand side:

Tracerouting from a PC behind the Cisco router (1st hop) through BOTH LRs on the Palo (2nd hop <- yes, just one!) to a Linux machine (3rd line) behind the “default” LR on the Palo:

Some CLI commands for further troubleshooting. Note the possibility of capturing on individual routing protocols:

For example, this is a small capture I exported in my lab: (Only KEEPALIVEs here, sorry ;))

That’s it. ✅

PS: I’m not a BGP pro, though. If you encounter any inconsistencies, please write a comment down below! Thanks.

Soli Deo Gloria!

Photo by Luiz Cent on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *