Hello, good afternoon everyone, thank you very much for your support and help.
I have the following scenario:
A pair of firewalls configured in HA, such as Active Passive, model 5250. There are currently 2 links to the Internet, the main link, that is, the active one, is used for the main access for all the general output to the Internet, it has its route 0.0.0.0 metric "10" and a second link, used, by means of PBF, for exclusive output to certain IPs of AWS services among other exclusive functions and destination, this second link at the route table level has a route 0.0.0.0 metric "30", although the PBF is used, which overrides the route table, in any case the route is included in the static routes of the virtual router, but having two routes to the same destination, the route with metric 10, that is, the main link is the one that passes from the RIB to the FIB.
Now after the previous background, the detail of the doubt, you want to configure Path Monitoring to be censusing some destinations that are reached exclusively by the secondary link, to validate that in case of any problem, it is processed to make the change in the HA , between the active and passive devices.
Reviewing the documentation, regarding the "Source IP" section using the "Virtual Router Path" option, it says the following: "The source IP address for path groups associated with virtual routers* will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address".
Now from this comes the enormous doubt, I must monitor the path/route of the HA failure conditions settings and I must register some destinations that are reached exclusively by the secondary link to the Internet (that is, by the link with Metric 30, that is, the one that is not installed in the FIB and only in the RIB) but the documentation says that it will use as source the ip of the exit interface in relation to the route, that is where my great doubt is, if said route is not it is installed in the FIB since in the FIB there will only be the metric route 10 and not 30, the destination that I need to census is exclusively through the metric 30 link, which currently the users, servers and LAN networks reach using a PBF, In this case, when I want to take a census, at the level of HA Pathmonitoring settings and validate said destination, I will have some problem being able to take a census, reach it and have it respond to said destination, which for the moment is reached by PBF (It is understood that for the PBF it is not valid the traffic that is originated from Palo Alto, in this case for the monitoring and census of the routes and destination, a PBF cannot be used for this traffic because it is originated from the exit interface of Palo Alto), for the users and that the documentation says that it will validate with the routing table, but in the routing table the route is present, but at the FIB level it only installs the default route, that is, the route 0.0.0.0 with metric 10 and the other is only maintained as a possible route in the RIB, the metric route 30.
I hope you can help me solve my doubts and see how it is possible to make the above scenario work.
Thank you very much, I remain attentive, cordial greetings.
You are correct. In your current config you will only be able to monitor the if2 next hop, everything else will follow metric 10 dg 0.0.0.0/0 If you need to monitor IP addresses beyond hop1 of if2, you will need to add a /32 route for the destination IP, going out of if2 and pointed at it's next hop