How to create, add and delete sub-interfaces and static routes via CLI on Panorama for managed Firewall Templates.
44014
Created On 05/15/19 20:29 PM - Last Modified 01/20/21 22:43 PM
Objective
This is a guide (HOW TO) which should help users use CLI to configure and delete sub-interfaces, static routes on Panorama managed firewalls.
Environment
- Panorama managed firewall running PanOS 8.0.x or later
- Panorama running PanOS 8.1.x
Procedure
1. Creating sub interface(s), adding them to VR and adding static route to the VR:
config set template test-template config network interface aggregate-ethernet ae1 layer3 units ae1.100 tag 100 ip 5.5.5.5/24 set template test-template config network interface aggregate-ethernet ae1 layer3 units ae1.200 tag 200 ip 6.6.6.6/24 set template test-template config network virtual-router test interface [ ae1.100 ae1.200 ] set template test-template config vsys vsys1 import network interface [ ae1.100 ae1.200 ] set template test-template config vsys vsys1 zone test-trust network layer3 [ ae1.100 ae1.200 ] set template test-template config network virtual-router test routing-table ip static-route test-route destination 10.10.10.0/24 interface ae1.100 nexthop ip-address 5.5.5.100
2. Committing configuration and pushing to managed device:
From CLI changes are committed using “commit” command from “config mode”.
Changes are pushed to device using “commit-all” command from operational mode (or from GUI). CLI example:
commit-all template name test-template
OR
commit-all template-stack name CS-test_stack (in case of Panorama 8.1)
3. Deleting route:
delete template test-template config network virtual-router test routing-table ip static-route test-route
4. Deleting interface:
NOTE: Interfaces can be deleted only if not referenced anywhere (in this example in the route), so the first step is to delete the route.
delete template test-template config network interface aggregate-ethernet ae1 layer3 units ae1.100
OR
delete template test-template config network interface aggregate-ethernet ae1Commit needs to be done after any changes as documented in Step 2.
Additional Information
AE interfaces will not appear in SNMPwalk (will not have OID) before they are created on the Firewall.
Output of SNMPwalk before interface is configured:
IF-MIB::ifDescr.1 = STRING: dedicated-ha1 IF-MIB::ifDescr.2 = STRING: dedicated-ha2 IF-MIB::ifDescr.3 = STRING: ha1 IF-MIB::ifDescr.4 = STRING: ha2 IF-MIB::ifDescr.5 = STRING: mgmt IF-MIB::ifDescr.6 = STRING: ethernet1/1 IF-MIB::ifDescr.7 = STRING: ethernet1/2 ..snip.. IF-MIB::ifDescr.22 = STRING: ethernet1/17 IF-MIB::ifDescr.23 = STRING: ethernet1/18 IF-MIB::ifDescr.200000000 = STRING: vlan IF-MIB::ifDescr.300000000 = STRING: loopback IF-MIB::ifDescr.400000000 = STRING: tunnel
Output of snmpwalk after interfaces has been configured:
IF-MIB::ifDescr.1 = STRING: dedicated-ha1 IF-MIB::ifDescr.2 = STRING: dedicated-ha2 IF-MIB::ifDescr.3 = STRING: ha1 IF-MIB::ifDescr.4 = STRING: ha2 IF-MIB::ifDescr.5 = STRING: mgmt IF-MIB::ifDescr.6 = STRING: ethernet1/1 IF-MIB::ifDescr.7 = STRING: ethernet1/2 IF-MIB::ifDescr.8 = STRING: ethernet1/3 ..snip.. IF-MIB::ifDescr.22 = STRING: ethernet1/17 IF-MIB::ifDescr.23 = STRING: ethernet1/18 IF-MIB::ifDescr.200000000 = STRING: vlan IF-MIB::ifDescr.300000000 = STRING: loopback IF-MIB::ifDescr.400000000 = STRING: tunnel IF-MIB::ifDescr.500010000 = STRING: ae1 IF-MIB::ifDescr.500010100 = STRING: ae1.100. IF-MIB::ifDescr.500010200 = STRING: ae1.200