Which source IP address to use
For virtual wire and VLAN interfaces, enter the source IP address as one of the unused IP addresses of the destination network to be used in the probe packets sent to the next-hop router (Destination IP address).
The local router must be able to route the address to the firewall.
The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the routing table as the egress interface for the specified destination IP address.
This example explains how path monitoring works using a specific Vwire configuration.
Setup:
LAN Network -- Router A -- PANW Firewall (Vwire) -- Router B
IP Router A: 1.1.1.254
IP Router B: 1.1.1.1
GUI:
Device > High Availability > Link and Path Monitoring - HA Path Group Virtual Wire:
This is the only place where you need to configure the source IP address.
Go to GUI: Device > High Availability > Link and Path Monitoring:
When you commit the configuration, you'll notice the following traffic on your network:
ARP Broadcast sourced from the firewall to request the mac address for 1.1.1.1 :
Here is the ARP reply from destination ip 1.1.1.1:
Now the Path Monitoring can start:
Go to the CLI and verify the path monitoring is working fine:
(active)> show high-availability path-monitoring
--------------------------------------------------------------------------------
total paths monitored : 1
hold time to send probe packets : 1000 ms
(after device becomes active)
--------------------------------------------------------------------------------
name/type destination suc/total rtt min/max/avg (ms) probe cnt/interval(ms)
--------------------------------------------------------------------------------
replay/virtual-wire 1.1.1.1 10/10 0.10/0.11/0.11 10/200
--------------------------------------------------------------------------------
Note: The ARP packet is sent from the Vwire interfaces, the ARP packet sent out will have a unique MAC not attached to any interface.