This feature is similar to Cisco IPSLA, in that it tracks the reachability of a destination and can remove static routes based on the ping response.
Simple topology with Palo-Alto connected to the internet and using path monitor on the default route. Internal interface peering OSPF with the core router and redistributing the static route but only when the ping responds.
First create the static route
Network -> Virtual Routers -> (router) -> Static Routes -> Add+
In this scenario the path monitor will ping the opposite side of the link and Google DNS, both must fail for the condition to be met. Interval and count are default (5 pings 3 seconds apart). Once the pings fail, the route will be removed from the routing table. When the router is able to ping the destination after a failure it waits 2 minutes before re-installing the route, this is default preemptive behaviour and can be changed.
Next create a redistribution profile that redistributes your routes, what I found was that if you redistribute ‘0.0.0.0/0’ that means all routes, if you have other routes you don’t want to redistribute just match them with a lower priority and choose ‘No redist‘
Network -> Virtual Routers -> (router) -> Redistribution Profile -> Add+
Configure OSPF as you normally would with any other device no difference here the usual attributes must match. Area 0 is the same as Area 0.0.0.0.
Next apply the redistribution profile to OSPF and check ‘Allow Redistribute Default Route‘. You have the option to set external type, metric and tag.
Network -> Virtual Routers -> (router) -> OSPF -> Export Rules -> Add+
The Palo-Alto should have formed neighbors with the core router and be redistributing the default route. This can be seen here. Network -> Virtual Routers -> More Runtime Stats. You can also view the routing table here and the forwarding table along with OSPF neighbors etc.
Currently the core router receives the route from the Palo-Alto
Next fail the routing on the internet router to see the impact on the path monitoring. The outcome is, the route is withdrawn (debug ip routing)
On the core device you may have a floating static or default route with a higher metric from a different IGP, waiting to take over in the event of a failure to the Palo-Alto.
When routing is restored you can view the preempted route counting down. After the 2 minutes the route is re-instated.
That’s it, works great.
RH
all-things-networking 