Defining a next hop in a default route

Defining a next hop in a default route

55040
Created On 09/26/18 13:51 PM - Last Modified 06/09/23 03:27 AM


Resolution


This article explains the impact of defining only an exit interface, without a next hop in a default route pointing towards the ISP. We recommend that you define a default route that points towards the ISP.

 

 

On the Palo Alto Networks firewall, configure a default route without a Next Hop.

 

An ICMP Echo generated on Palo Alto Networks firewall toward the remote ip address (8.8.8.8) will trigger the Arp request.

 

Although the ping was successful, the output on the ISP reveals the proxy Arp process.

 

 

Typically, you woulnd't see these type of arp requests. However, the firewall was forced to proxy Arp based on the static route that didn’t identify a next hop. To further demonstrate what can happen, we can disable proxy Arp on the ISP’s interface and clear the arp cache on the firewall. 

 

Proxy ARP is enabled and cannot be disabled on the Palo Alto Networks firewall.

 

 

 

 

 

Next you will want to configure a route that indicates a next hop address, which is the same as configuring a proper default gateway on a firewall.

 

 

Test it in the CLI. 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CltVCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language