TTechclick All lessons
Palo Alto · Networking · Static / OSPF / BGPInteractive · L2 / L3

Palo Alto Routing — Watch the Route Decision Live in 12 Minutes

PAN-OS picks ONE route per destination — best admin-distance wins, drops into the FIB. Pick a destination below, watch static / OSPF / BGP compete in the animator, debug a flapping BGP peer in the state machine, and walk away with the exact CLI for each layer.

📅 2026-05-25 · ⏱ 12 min · 4 interactive demos · 🏷 10-Q assessment + AI Tutor inline

Pick a routing layer — jump straight to it

1

Static + AD

PAN-OS's surprise AD defaults — static = 10 (not 1 like Cisco). Why that matters.

 2

OSPF Areas

Backbone, Stub, Totally Stub, NSSA — pick the right one for each spoke.

 3

BGP States

Idle → Connect → OpenSent → OpenConfirm → Established. Where flaps live.

 4

RIB → FIB

Route in RIB but missing from FIB? Active flag, next-hop reachability, and recursion.

The mental model — one Virtual Router, four route sources

Every interface on a Palo Alto firewall belongs to a Virtual Router (VR) — the routing context. A VR can run static routes, OSPF, BGP, RIP, and multicast all at once. Each one feeds the RIB with route candidates; PAN-OS picks the best per-destination using Administrative Distance, marks it Active, and installs it in the FIB for actual forwarding.

One sentence to memorise: "RIB collects, FIB forwards. AD breaks ties, metric breaks ties within the same protocol." Stack that on top of PAN-OS's specific AD defaults (which differ from Cisco's) and routing arguments end quickly.

🗺
Virtual Router
tap to flip

A self-contained routing context — its own RIB, FIB, route protocols, redistribution rules. You can have multiple VRs on one firewall for tenant separation or SD-WAN-style designs.

📚
RIB
tap

Routing Information Base. Holds all route candidates from every protocol. Sorted by destination. Only one per destination is marked A (Active) — that's the AD winner.

FIB
tap

Forwarding Information Base. The dataplane copy of the Active routes. Every packet does a FIB lookup at line rate — RIB is too slow to consult per-packet.

🏆
Active flag
tap

The route that won AD selection and got installed in the FIB. show routing route | match A shows just the winners — the route table the dataplane actually uses.

① Static routes + PAN-OS administrative-distance defaults

Sneha at Infosys adds a static default route 0.0.0.0/0 → 203.0.113.1 on her firewall's VR. Then OSPF brings in another default-route candidate. Which wins? On Palo Alto, the static route — PAN-OS's static AD = 10, OSPF Intra-area AD = 30, OSPF External AD = 110. The static beats OSPF every time, the opposite of what Cisco people expect.

▶ Route-Decision Animator — which route drops into FIB

Destination 10.20.30.0/24. Four candidate routes arrive — watch AD pick a winner.

① RIB CANDIDATE Static route 10.20.30.0/24 → 192.168.1.1 · AD = 10 (PAN-OS default).
② RIB CANDIDATE OSPF Intra-area 10.20.30.0/24 via Area 0 · AD = 30.
③ RIB CANDIDATE OSPF External (Type-5) 10.20.30.0/24 redistributed in · AD = 110.
④ RIB CANDIDATE eBGP 10.20.30.0/24 from peer 198.51.100.5 · AD = 20 (industry default).
⑤ COMPARE AD Static (10) < eBGP (20) < OSPF Intra (30) < OSPF Ext (110) → STATIC wins.
⑥ FIB INSTALLED 10.20.30.0/24 via 192.168.1.1 (static, A) drops into the FIB. Dataplane forwards.
Press Play. PAN-OS static AD = 10 (NOT 1 like Cisco). It beats OSPF AND eBGP by default. People burn hours not knowing this.
PAN-OS AD defaults — memorise this table

Static = 10 (Cisco = 1). OSPF Intra-area = 30 (Cisco = 110). OSPF Inter-area = 30. OSPF External = 110. eBGP = 20 (same as Cisco). iBGP = 200 (same as Cisco). Why does PAN-OS use these unusual defaults? Historical — to make routing more deterministic by default. If you mix Cisco and Palo Alto, set AD explicitly on every static / OSPF / BGP statement instead of relying on defaults — saves 4-hour debug sessions.

Quick check · Q1 of 10

Rahul at TCS configures a static default route on a PA firewall AND learns the same default from OSPF Type-5 (External). He intentionally wants OSPF to win (his backup ISP is reachable via OSPF only). What's the cleanest configuration change?

Correct: c. The classic "floating static" pattern. Bump the static's AD above OSPF's so OSPF wins normally; when OSPF withdraws (peer down, link cut), the static automatically takes over because it's still in the RIB just not Active. Industry standard pattern; PA supports it cleanly via the static route's "Admin Distance" field. The number doesn't have to be 120 — any value > 110 works.

② OSPF — the 4 area types and what each one filters

Priya at HCL inherits a fresh OSPF design. Backbone (Area 0) is fine. The spokes have varying needs: pure leaf needs minimal route info; some spokes import external routes (NSSA). OSPF area types determine which LSA types flow into a given area — getting this wrong wastes link bandwidth and forces every router to hold the full external routing table.

▶ Area-Type Filter Animator

Each area type filters specific LSA types. Watch which LSAs reach a router in each area.

① BACKBONE · AREA 0 Receives ALL LSA types — Type-1, 2, 3, 4, 5, 7. Required for any multi-area OSPF design. Every other area must connect to Area 0 (or via virtual-link).
② STANDARD AREA Receives Type-1, 2, 3, 4, 5. Same LSA mix as backbone but isn't connected to itself. Useful for big spokes that still need external (Type-5) routes.
③ STUB AREA Blocks Type-5 (external). ABR injects a default route (Type-3 0/0) instead. Spoke routers see only intra-area + summary + default.
④ TOTALLY STUB Blocks Type-3, 4, 5. ABR injects ONLY a default. Smallest routing table possible. Cisco-flavoured extension also supported on PAN-OS.
⑤ NSSA Not-So-Stubby — blocks Type-5 BUT allows local redistribution as Type-7 (which the ABR converts back to Type-5 on the way to backbone). Use when a stub spoke has its own external redistribution.
⑥ TOTALLY NSSA NSSA + blocks Type-3, 4 too. Cisco proprietary; PA supports it. Smallest table for an area that still needs to redistribute external.
Press Play. Pick the most restrictive area type that still meets the spoke's needs. Saves link bandwidth and CPU.
CLI — confirm OSPF adjacencies and DR/BDR 
show routing protocol ospf neighbor
show routing protocol ospf summary
Expected output (healthy adjacency) 
Neighbor          Pri  State        Dead Time   Interface
192.168.1.2       1    Full/DR       00:00:38   ethernet1/2
192.168.2.5       1    Full/-        00:00:36   ethernet1/3
Quick check · Q2 of 10

A spoke site at Karthik's Flipkart office has 8 routers but only needs a default route from HQ. It has no local route redistribution. Which OSPF area type minimises the routing table without breaking anything?

Correct: a. Totally Stub gives the absolute minimum table — every spoke router holds only intra-area routes + one Type-3 default. NSSA is needed when the spoke HAS local externals to redistribute; this spoke doesn't, so NSSA buys complexity without value. Backbone / Standard would force the spoke to hold all external routes — wasteful on a leaf.

③ BGP — the 6 peer states and where flaps come from

Aditya at Wipro brings up an eBGP peer to AWS. The peer cycles between Connect, Active, OpenSent, OpenConfirm, never reaches Established. Or worse — it reaches Established, holds for 30 seconds, drops back to Idle, retries. The BGP state machine tells you exactly where the failure lives.

▶ BGP State Machine — Idle to Established

Healthy progression. At each state, the kind of failure that keeps you stuck there.

① IDLE BGP process is waiting for an admin start event. Stuck here = peer is administratively down OR no route to the remote peer IP.
② CONNECT Local side trying to open TCP/179. Stuck here = TCP SYN going out but no SYN-ACK back. Check ACLs, firewall rules, NAT, MTU on the path.
③ ACTIVE Connect timer expired, retrying TCP. Stuck here / oscillating with Connect = transport still broken. Run a packet capture filtered on TCP/179.
④ OPENSENT TCP up; OPEN message sent. Waiting for peer's OPEN. Stuck here = AS-number mismatch, version mismatch, BGP-ID mismatch, MD5 password missing.
⑤ OPENCONFIRM OPEN messages exchanged; waiting for keepalive confirmation. Stuck here = hold-time mismatch beyond negotiable range, or packet-loss eating keepalives.
⑥ ESTABLISHED Peer is up. Routes exchange. Flapping from here back to Idle every ~3 min = Hold Timer expiry — keepalives lost (MTU, link drops, CPU spike, route-map filter unintentionally dropping keepalives).
Press Play. The state where you're STUCK tells you what to debug — that's the entire diagnostic value of the BGP state machine.
The three killer BGP flap causes

1. MTU mismatch on the peering link. BGP uses TCP, TCP path MTU is sensitive. A 9000-byte LSP arriving at a 1500-byte hop gets fragmented or dropped — keepalives lost. 2. Hold Timer too aggressive. Default 180s. Cut it to 9s under heavy keepalive loss and you flap every 9 seconds. Match peer's timers explicitly. 3. CPU or control-plane policer drops. If the firewall's mgmt-plane CPU spikes, BGP control messages get dropped — peer expires hold, session resets. Check show system resources.

Quick check · Q3 of 10

A BGP peer is cycling between Established and Idle every 3 minutes. show routing protocol bgp peer confirms the flap; logs show "Hold Timer expired". Which root cause is MOST consistent with these symptoms?

Correct: d. "Hold Timer expired" specifically means keepalives weren't received in time — the session DID reach Established, then died. AS / MD5 / wrong peer IP issues prevent ever reaching Established (you'd be stuck in OpenSent or Connect, not flapping out of Established). Triage path: MTU first (most common), then packet loss, then CPU.

④ FIB vs RIB — when a route is "there but not there"

Final layer. You can see a route in show routing route output — but traceroute doesn't use it. Why? Either the route lost AD selection (didn't get the A flag), or the next-hop isn't reachable (recursive lookup fails), or the protocol marked it inactive for a different reason. The FIB is the dataplane truth.

▶ "Route present but not forwarding" — 5-step diagnosis

Symptom: show routing route shows the prefix, but traffic doesn't take it.

① CHECK ACTIVE FLAG show routing route destination 10.20.30.0/24. Is the route marked A? No A = lost AD selection. Identify the winner.
② CHECK FIB show routing fib | match 10.20.30.0. Route in RIB but missing from FIB = RIB has it but couldn't install (next-hop unreachable, recursion broken).
③ NEXT-HOP CHECK show routing fib | match <next-hop>. If the next-hop itself has no FIB entry, recursion fails. Static route pointing at an unreachable IP is the classic.
④ BFD STATE If BFD is enabled and the BFD session is Down, PAN-OS may withhold the route from FIB even though the protocol session is up. Check show routing bfd session.
⑤ INSTALL FLAGS Static routes have a per-route "Install" flag (Unicast / Multicast / Both / No-Install). Set to No-Install = visible in RIB, never makes FIB. Easy to miss.
⑥ TEST FROM DATAPLANE test routing fib-lookup virtual-router default ip 10.20.30.42. Final source of truth — what the dataplane will actually do for this destination.
Press Play. RIB ≠ FIB. The Active flag and reachability of the next-hop are the two things that decide whether a candidate makes it to the dataplane.
Quick check · Q4 of 10

A static route shows in show routing route with no A flag. The next-hop IP is reachable. Why might PAN-OS still refuse to install the route into the FIB?

Correct: b. Three common reasons. (1) Another protocol won AD selection — the route is in RIB but not Active. (2) The static route's per-route Install flag is set to No-Install (a checkbox on PAN-OS static-route config). (3) Recursive lookup failure — next-hop's own route isn't Active. Walk show routing fib for the next-hop to confirm reachability before assuming AD is the cause.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from PAN-OS docs + LIVECommunity. For complex prod issues, paste your show routing route + show routing protocol bgp peer output into chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile.

Q5 · Apply

A redistribution profile is configured to bring OSPF external routes into BGP. The team wants ONLY specific subnets to redistribute, blocking everything else. Where does the deny rule belong in the profile?

Correct: c. Redistribution rules use the same top-down, first-match-wins evaluation as security policy. Specific denies on top, broad allows below — the standard pattern. Get the order wrong and the broad allow fires first; the deny rule never gets a turn.
Q6 · Analyze

A team uses both Cisco and Palo Alto firewalls. They add a default static route on a PA firewall with default AD, expecting OSPF to be preferred (as on Cisco where static AD=1 vs OSPF=110, static usually wins). Instead, the static beats OSPF unexpectedly on the PA. Why?

Correct: b. The misconception is that "OSPF beats static on Cisco by default" — actually static (AD 1) beats OSPF (AD 110) on Cisco too. The visible difference is the magnitude: on Cisco the gap is 109; on PA it's 20. Either way, static wins on BOTH vendors unless you tweak AD. The portable fix in mixed estates: set AD explicitly on every protocol, never trust the default.
Q7 · Analyze

A design uses two Virtual Routers — VR-Trust and VR-Untrust — on the same firewall. Some traffic from VR-Trust should reach destinations only known to VR-Untrust. How is this stitched together inside one firewall?

Correct: a. next-vr static routes are PAN-OS's clean way to stitch VRs together without cabling. Common in SD-WAN-style multi-VR designs. Keep this in mind for PCNSE — it's a top-asked question on multi-VR architecture.
Q8 · Analyze

On PAN-OS, what is the default administrative distance for eBGP?

Correct: b. eBGP = 20, iBGP = 200 on PAN-OS (industry standard). The non-obvious consequence on Palo Alto: because static = 10, a leftover static route can silently beat your fresh eBGP design. Audit static routes BEFORE turning up eBGP.
Q9 · Evaluate

A spoke has 4 routers in one OSPF area. The spoke needs to redistribute LOCAL routes from RIP into OSPF for upstream visibility. Which area type fits — and what should the team NOT use?

Correct: c. NSSA is the exact use case — a stub-like area that ALSO needs to redistribute from a non-OSPF source. Stub / Totally Stub block ALL external types including Type-7, so redistribution wouldn't propagate. Totally NSSA is overkill if you still want Type-3 summaries from backbone.
Q10 · Evaluate

A team designs a dual-firewall HA pair running eBGP to upstream ISP. They want both firewalls to learn the same routes (so HA failover is invisible to internet users). What design is correct?

Correct: b. In Active/Passive, the active firewall holds the BGP session. HA-sync mirrors routes to the standby's FIB; on failover, the standby takes over the floating IP and resumes BGP from scratch (or graceful restart if configured). Active/Active needs each device to peer independently — the ISP sees two BGP speakers and needs to handle multipath. Most enterprises start A/P for simplicity.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

📚 Sources

  1. Palo Alto Docs — Static Route Overview & Configure Route Redistribution (PAN-OS 10.x / 11.x). docs.paloaltonetworks.com
  2. Palo Alto Docs — Configure OSPFv2 on an Advanced Routing Engine. docs.paloaltonetworks.com
  3. Palo Alto Docs — Network → Routing → Routing Profiles → BGP (PAN-OS 11.2). docs.paloaltonetworks.com
  4. Palo Alto KB — How to Influence Routes in OSPF to Take Precedence Over Static + Routing Table has Multiple Prefixes for the Same Route. knowledgebase.paloaltonetworks.com
  5. LIVECommunity — Support FAQ: How to Troubleshoot BGP on Palo Alto Networks Firewalls (thread 1230588). live.paloaltonetworks.com
  6. LIVECommunity — BGP Session flaps for every 3 minutes — PAN OS (thread 447212). live.paloaltonetworks.com
  7. RFC 2328 (OSPFv2) & RFC 4271 (BGP-4) — protocol reference for state machine + area types.

What's next?

Routing controls where packets go in steady-state. Next: HA — what happens when the active firewall dies. Active/Passive vs Active/Active, election factors, heartbeat link saturation, the 2-hour-flap diagnosis.

Blog 11 · HA Active/Passive vs Active/Active → ← Recap Certificates & PKI