Static routing table does not match across cluster members-paloaltonetworks-panos

Knowledge
, , ,
Static routing table does not match across cluster members-paloaltonetworks-panos
none 5.0 1
#1

Static routing table does not match across cluster members-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will identify when two devices are part of a cluster and alert if their static routing tables are different.

Remediation Steps:
Ensure the static routing table matches across devices in a cluster.

How does this work?
This script uses the Palo Alto Networks API to retrieve the current routing table (the equivalent of running “show routing route” in CLI).

Why is this important?
Capture the route entries that are statically set on the device.

Without Indeni how would you find this?
An administrator would be able to poll this data through SNMP but additional external logic would be required to correlate the static routes table across cluster members.

panos-show-routing-route

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/show-routing-route/show-routing-route.ind.yaml

static_routing_table_comparison_non_vsx

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/crossvendor/static_routing_table_comparison_non_vsx.scala
#2

Very important in an Active/Active HA configuration.

When in Active/Passive mode, this rule will not trigger. (see last line of the rule)

There may be certain network design scenarios where these would not match such as in a DR site. They would only be identical with some type of DataCenter Interconnect to extend the IP subnets across sites like Cisco OTV or other failover equipment.