Network technologies and trends

Feb 28 2016   6:15AM GMT

Things to consider before introducing Palo Alto Firewall into routing domain- Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Gartner Magic Quadrant
Network design

When it comes to routing, most of us are quite comfortable in using dedicated routers in Enterprise networks.  Some time the Business need or the existing network design forces an Organisation to use a traditional firewall not only as a firewall but also as a router. Well this works well, if some one is using basic routing. However challenges are seen when some one wants to use ECMP or wants to use the Firewall as an ABR using an OSPF routing protocol. Based on my experience Cisco ASA firewalls works like a charm especially with routing features , they do support ECMP for both OSPF and BGP as a routing protocols. Also the Cisco ASA Firewall works well as a ABR, one will not experience any issues in OSPF adjacency.

ASA - ECMPThe above mentioned scenario works well Cisco ASA Firewall. It will do ECMP with R1 & R2  and does play the role of ABR as well, and you will not see any issues with OSPF adjacency.

However if the same scenario used with Palo Alto next generation firewalls one will face huge challenges with routing. Palo Alto Firewalls, as a next generation firewalls are great, they do offer quite unique features, hence they are the leaders in Gartner Magic Quadrant.  But when it comes to routing, they need some really good enhancements.


In the above scenario Palo Alto Firewall works well as an ABR with 6.x PAN-OS , it can form an OSPF adjacency with Area 5 router (R3) how ever it does not support ECMP for OSPF and BGP routing protocols. Only one router will be used to route the traffic. The other router will form an adjacency with Palo Alto Firewall but it will never route the traffic through other router until the active router fails.

In order to support ECMP one need to upgrade the Palo Alto Firewall to 7.x PAN-OS. By upgrading one may fix the ECMP issue with additional configurations, but at the same time it fails to work as an ABR. The Palo Alto Firewall will never form an OSPF adjacency with Area 5 router ( R3).

PA-Routing-OSPFCurrently with PAN-OS  6.x or 7.x one cannot use the above mentioned scenario , one has to compromise either on ECMP by using PAN-OS version 6.x or change his routing design by not using Palo Alto firewall as ABR with PAN-OS version 7.x.

Note: These are my observations and my views which might not be true for other kinds of Network Designs.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: