I switched my lab box to the advanced routing engine (ARE), and now I can't run the CLI command "test routing fib-lookup" because it wants a virtual router in the argument, but in ARE there are only logical routers now. Does that mean i can't use the command anymore? There's no way to test lookups in the ARE??? :( This stinks, it was a useful tool. lab-pa> test routing fib-lookup ip 1.2.3.4 ? * virtual-router within virtual-router lab-pa> test routing fib-lookup ip 1.2.3.4 virtual-router ? <value> within virtual-router

Good Day Team, Would appreciated your expert advise. We have a PA 3250 as a central location / Data Centre that has many Dynamic Routing , such as OSPF with the mulitiple service provider. We have an express route OSPF neighbourship to Express Route , we are now deciding to change this ISP as we seem to run into issues quite often to azure an the point they also have to switch links for services to operate. We have sourced another ISP that offer Express route to Azure our a layer to Medium.Azure uses BGP as thier preffered Dynamic routing and offers 2 VR for redundancy using the same AS Number in Azure. They are going to bring down using STAGs by using two vlans to the Datacenter Center for this Express route connectivity. The firewall is configured with two sub-nterface and one already has a bgp estalished with Azure Express Route VR with routes Aggregated. We one now want to etablish a second BGP to the Second Azure VR to create this redunancy having the same routing table. Now on a POC to try the an mimic the same config as the Datacenter firewall we using a single VR instance on the Palo Alto and as mentioned earlier with multiple ospf areas to multiple service providers , we are now configuring BGP two cisco Router Neighbourship using the same dummy routes on both Cisco Routers. The First routers establishes fine and routes are advdertised no issue , the Second ciso router does not like establishing a bgp connection as the same AS number being used.So change the AS number on the 2nd Router and we have a full BGP estalishement. On a the firewall how do we configure which route in BGP to be best preffered or weighted like in a metric. Also noticed that with just the default BGP configuration with the two routers the redundacy seems to work by shutting down one router and assuming that its using the bgp connection with the lowest AS number , router -id or ip , that great but how do we manipulate which router to send the preffered traffic too only if that router goes down use the send router. I know this is a bit long winded write , but would appreciate your expert advise.

IPSEC VPN - Palo Alto to Fortigate ( Forti behind a NAT ) Hello community, as always thank you for your collaboration. I understand that it is feasible, I have not had to do it, but I understand that it is possible to do the following. Scenario: -Palo Alto Firewall Static Public IP directly connected to PA Interface. -Firewall fortigate behind traditional Modem/Route/OTN almost domiciliary with Dynamica public IP but with private IP in its WAN interface of the fortigate. I.e.: PaloAlto-Untrust-Interface-Static dedicated Public IP=======Internet=====VPN-Site-to-Site=============Dynamic-IP-traditional-Internet-Modem-ISP=====NAT===Private WAN IP Fortigate. I can set up a Site to Site VPN tunnel between a Palo Alto FW with dedicated static public IP coming directly to the AP against a Fortigate firewall behind a traditional ISP modem/router/nat. Is it feasible to realize this IPSEC tunnel, that is stable, operates correctly ? What aspects, configurations, settings, etc. should I consider when making this configuration? Thanks as always for the collaboration, good vibes and for all the advice and your time in answering. Greetings and very attentive to your comments.