Commit preview shows path-monitor config for static routes deleted unexpectedly when adding a static route to a virtual router
Symptom
When adding a static route to a Virtual Router the Commit Preview may show that the path-monitor configuration is being removed from the existing static routes in the Virtual Router.
Environment
PA firewall 9.1.x >= 9.1.10
PA firewall 10.0.x >= 10.0.1
PA firewall 10.1.x >= 10.1.9
PA firewall 10.2.x >= 10.2.4
Cause
In previous versions of PAN-OS (8.1.x/9.0.x) static routes included the following lines in the configuration when path-monitoring was not enabled.
path-monitor {
enable no;
failure-condition any;
hold-time 2;
}
In an effort to reduce the config size, this explicit configuration will be removed from existing static routes in a Virtual Router when a new static route is added to that Virtual Router.
This may result in unexpected changes when doing a "Commit Preview" after adding a Static Route.
As an example, the Virtual Router has 2 routes (test1/test2) that have the explicit path-monitor configuration. This can be seen with "#show network virtual-router <virtual router name>"
# show network virtual-router PATH-TEST
PATH-TEST {
****Other config lines removed for readability*****
routing-table {
ip {
static-route {
test1 {
nexthop {
ip-address 192.168.4.1;
}
bfd {
profile None;
}
path-monitor {
enable no;
failure-condition any;
hold-time 2;
}
metric 10;
destination 10.10.10.0/24;
route-table {
unicast;
}
}
test2 {
nexthop {
ip-address 192.168.5.1;
}
bfd {
profile None;
}
path-monitor {
enable no;
failure-condition any;
hold-time 2;
}
metric 10;
destination 10.10.14.0/24;
route-table {
unicast;
}
}
}
After adding a new static route (new_route), click Commit, then "Preview Changes".
We can see that in addition to the new static route being added, the path-monitor configuration is deleted from test1 and test2 routes.
Resolution
This is expected behavior, and will not result in any change to the path-monitoring behavior for the static routes.