About Static and Default Routes
To route traffic to a non-connected host or network, you must define a route to the host or network, either using static or dynamic routing. Generally, you must configure at least one static route: a default route for all traffic that is not routed by other means to a default network gateway, typically the next hop router.
Default Route
The simplest option is to configure a default static route to send all traffic to an upstream router, relying on the router to route the traffic for you. A default route identifies the gateway IP address to which the threat defense device sends all IP packets for which it does not have a learned or static route. A default static route is simply a static route with 0.0.0.0/0 (IPv4) or ::/0 (IPv6) as the destination IP address.
You should always define a default route.
The threat defense has separate routing tables for data interfaces and for management-only interfaces (including the special Linux Management interface). You can only add a default route for the data routing table. The threat defense automatically adds a default route in the management-only routing table that sends traffic to the Linux Management interface, where a separate route lookup occurs in the Linux routing table. You can add static routes to the Linux routing table that can be used by Management using the threat defense CLI configure network static-routes command.
Note |
The default Linux route is set with the configure network ipv4 or configure network ipv6 command. |
Static Routes
You might want to use static routes in the following cases:
-
Your networks use an unsupported router discovery protocol.
-
Your network is small and you can easily manage static routes.
-
You do not want the traffic or CPU overhead associated with routing protocols.
-
In some cases, a default route is not enough. The default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the threat defense device.
-
You are using a feature that does not support dynamic routing protocols.
-
Virtual routers use static routes to create route leaks. Route leaks enable flow of traffic from an interface of a virtual router to another interface in another virtual router. For more information, see Interconnecting Virtual Routers.
Route to null0 Interface to Drop Unwanted Traffic
Access rules let you filter packets based on the information contained in their headers. A static route to the null0 interface is a complementary solution to access rules. You can use a null0 route to forward unwanted or undesirable traffic so the traffic is dropped.
Static null0 routes have a favorable performance profile. You can also use static null0 routes to prevent routing loops. BGP can leverage the static null0 route for Remotely Triggered Black Hole routing.
Route Priorities
-
Routes that identify a specific destination take precedence over the default route.
-
When multiple routes exist to the same destination (either static or dynamic), then the administrative distance for the route determines priority. Static routes are set to 1, so they typically are the highest priority routes.
-
When you have multiple static routes to the same destination with the same administrative distance, see Equal-Cost Multi-Path (ECMP) Routing.
-
For traffic emerging from a tunnel with the Tunneled option, this route overrides any other configured or learned default routes.
Transparent Firewall Mode and Bridge Group Routes
For traffic that originates on the threat defense device and is destined through a bridge group member interface for a non-directly connected network, you need to configure either a default route or static routes so the threat defense device knows out of which bridge group member interface to send traffic. Traffic that originates on the threat defense device might include communications to a syslog server or SNMP server. If you have servers that cannot all be reached through a single default route, then you must configure static routes. For transparent mode, you cannot specify the BVI as the gateway interface; only member interfaces can be used. For bridge groups in routed mode, you must specify the BVI in a static route; you cannot specify a member interface. See for more information.
Static Route Tracking
One of the problems with static routes is that there is no inherent mechanism for determining if the route is up or down. They remain in the routing table even if the next hop gateway becomes unavailable. Static routes are only removed from the routing table if the associated interface on the threat defense device goes down.
The static route tracking feature provides a method for tracking the availability of a static route and installing a backup route if the primary route should fail. For example, you can define a default route to an ISP gateway and a backup default route to a secondary ISP in case the primary ISP becomes unavailable.
The threat defense device implements static route tracking by associating a static route with a monitoring target host on the destination network that the threat defense device monitors using ICMP echo requests. If an echo reply is not received within a specified time period, the host is considered down, and the associated route is removed from the routing table. An untracked backup route with a higher metric is used in place of the removed route.
When selecting a monitoring target, you need to make sure that it can respond to ICMP echo requests. The target can be any network object that you choose, but you should consider using the following:
-
The ISP gateway (for dual ISP support) address
-
The next hop gateway address (if you are concerned about the availability of the gateway)
-
A server on the target network, such as a syslog server, that the threat defense device needs to communicate with
-
A persistent network object on the destination network
Note |
A PC that may be shut down at night is not a good choice. |
You can configure static route tracking for statically defined routes or default routes obtained through DHCP or PPPoE. You can only enable PPPoE clients on multiple interfaces with route tracking configured.