Configuring the Routing Table

Background

This page shows the routing table with the routes added on your appliance:

Version

Description

R81.10.05 and higher

The Device view > Advanced Routing section > Routing Table page.

R81.10.00

The Device view > Network section > Routing page.

Notes:

  • You can add or edit routes and configure manual routing rules.

    You cannot edit system defined routes.

  • You can specify routes for and associate IP addresses with selected VPN tunnels.

    To add, delete, and modify the IP addresses, use dynamic routing protocols.

  • When no default route is active, this page shows this message:

    Note - No default route is configured. Internet connections might be down or not configured.

  • For Internet Connection High Availability, the default route changes automatically on failover (based on the active Internet connection).

  • When a network interface is disabled, the routing table shows all routes for that interface as inactive. A route automatically becomes active when the interface is enabled. Traffic for an inactive route is routed based on active routing rules (usually, to the default route).

  • You cannot edit, delete, enable, and disable routes created by the operating system for directly attached networks or by dynamic routing protocols.

Routing Table Columns

Column

Description

Destination

The route rule applies only to traffic whose destination matches the destination IP address/network.

Source

IPv4 address only.

The route rule applies only to traffic whose source matches the source IP address/network.

Service

IPv4 address only.

The route rule applies only to traffic whose service matches the service IP protocol and ports or service group.

Next Hop

The next hop gateway for this route, with these options:

  • Specified IP address of the next hop gateway.

  • Specified Internet connection from the connections configured in the appliance.

  • Specified VPN Tunnel Interface (VTI).

Metric

The priority of the route.

If multiple routes to the same destination exist, the route with the lowest metric is selected.

Protocol

Type of route:

  • Static

  • Directly connected

  • BGP

  • OSPF

  • RIP

  • Aggregate

  • Kernel

  • N/A

Rank

A numeric value used to determine which protocol has a higher priority - the lower the value, the higher the priority).

Notes:

Limitations

  • When there is a default route on an internal port, WebUI and SSH access to the appliance is allowed only through the LAN ports or the active Internet connection (and not through an inactive Internet interface).

  • In R81.10.00, static routes are not supported with a VPN Tunnel (VTI) as the Next Hop.

Adding a Specific IPv4 Static Route

This procedure adds a specific static route to send traffic from any source, to any destination, for any protocol to a specific IPv4 address.

  1. From the left navigation panel, click Device.

  2. In the Advanced Routing section, click the Routing Table page.

  3. Above the routing table, click New.

    The New Static Routing Rule window opens.

  4. In the Destination column:

    • To route traffic to any destination, leave the default value Any.

    • To route traffic to a specific destination IPv4 address:

      1. Click the value Any.

      2. Select Specified IP Address.

      3. Configure the required IP Address.

      4. Configure the required Subnet Mask.

      5. Click OK.

  5. In the Source column:

    • To route traffic from any source, leave the default value Any

    • To route traffic from a specific IPv4 address:

      1. Click the value Any.

      2. Select Specified IP Address.

      3. Configure the required IP Address.

      4. Configure the required Subnet Mask.

      5. Click OK.

  6. In the Service column:

    • To route traffic for all services (protocols), leave the default value Any

    • To route traffic for a specific service:

      1. Click the value *Any.

      2. Select the required service object or a service group object.

        Notes:

        • You can select only one service object or one service group object.

        • In the bottom right corner, you can click New > Service, or Service group to create a custom service or a group of services.

      3. Click OK.

  7. In the Next Hop column:

    1. Click the cell.

    2. Select the required option:

      • IP Address - Enter the IPv4 address of the required next hop.

        Note - This option supports the nexthop probing only if in the Destination column, you selected Specified IP Address (destination-based route).

        • For the probing to work, the nexthop IP address must be on the same subnet as one of the internal appliance interfaces (LAN, DMZ).

        • If it is necessary to probe a nexthop of an Internet connection, then enable SD-WAN and use the SD-WAN probing settings (see SD-WAN).

      • Internet connection - Select the required Internet connection.

        Note - This option does not support the nexthop probing.

      • VPN Tunnel (VTI) - Select the required VPN Tunnel Interface or the GRE interface (you must configure it in advance).

        Note - This option supports the nexthop probing only if in the Destination column, you selected Specified IP Address (destination-based route).

      • Interface - Select the required Local Network interface (LAN, DMZ).

        Notes:

        • In the R81.10.X releases, this option is available starting from the R81.10.05 version.

        • This option does not support the nexthop probing.

    3. Click OK.

  8. Optional: In the Comment field, enter an applicable text.

  9. Optional: In the Metric field, enter a value:

    Notes:

    • Enter a value between 0 and 100.

    • The lower the value, the higher the priority.

    • The default metric is 0.

  10. Optional: In the Rank field, enter a value between 1 and 255 to define priority between routes with the same destination but for different routing protocols.

    Notes:

    • In the R81.10.X releases, this field is available starting from the R81.10.10 version.

    • Rank is allowed only if in the Destination column, you selected Specified IP Address.

    • Rank is per destination.

      All routes with the same destination have the same rank, even though their next hop and metric are different.

    • The default rank is 60.

    • To change the default route rank, go to Device view > Advanced Settings .

  11. Optional: Configure the nexthop probing.

    In R81.10.08 and lower versions:

    You must disable the probing because in these versions, the probing feature supports only default static routes.

    • In R81.10.08 and R81.10.07 versions:

      In the Monitoring field, select Off.

    • In R81.10.05 and lower versions:

      In the Probing method field, select Off.

    In R81.10.10 and higher versions:

    In the Monitoring field, select the applicable option:

    • Off - To disable the route probing (this is the default).

    • On - To enable the route probing.

    Configure the applicable probing servers. For example:

    • dns.google.com

    • dns.cloudflare.com

    • dns.opendns.com

    Notes:

    • Starting from R81.10.10, the probing feature supports only default static routes and destination-based routes.

      Policy-based routes are supported starting from R81.10.15

    • If the Next Hop type is an IP address,

      For destination-based routes, the nexthop IP address must be on the same subnet as the destination IP address.

      For example, for a route with a destination to 7.7.7.0/24 and nexthop 192.168.2.3, a probing server must have an IP address from the 7.7.7.0/24 subnet (for example, 7.7.7.10).

    • If the nexthop type is a VTI (or a GRE), the nexthop can either be on the subnet of the destination IP address or the IP address of the remote-peer of the tunnel if you want to probe the tunnel.

  12. Optional: In the Advanced Probing Settings section, configure the probing settings:

    • Probing frequency - Interval between pings.

    • Percentage of failed attempts - Threshold to consider the nexthop as unreachable.

    • Max latency - Maximum latency for pings.

    • Reconnection delay - Delay before the appliance starts using this route again after the nexthop becomes reachable again.

    • History timeline size - Size of the probing history timeline in the Route Monitoring window (see Route Monitoring).

    Note - You can hover over the field name to see the icon and hover over it to see the tooltip.

  13. Save the changes:

    • In R81.10.10 and higher versions:

      Click Save.

    • In R81.10.08 and lower versions:

      Click Apply.

Adding a Default IPv4 Static Route

This procedure adds a default static route to send traffic from any source, to any destination, for any protocol.

  1. From the left navigation panel, click Device.

  2. In the Advanced Routing section, click the Routing Table page.

  3. Above the routing table, click New.

    The New Static Routing Rule window opens.

  4. In the Destination column:

    Leave the default value Any.

  5. In the Source column:

    Leave the default value Any.

  6. In the Service column:

    Leave the default value Any.

  7. In the Next Hop column:

    1. Click the cell.

    2. Select the required option:

      • IP Address - Enter the IPv4 address of the required next hop.

        Note - This option supports the nexthop probing.

        • For the probing to work, the nexthop IP address must be on the same subnet as one of the internal appliance interfaces (LAN, DMZ).

        • If it is necessary to probe a nexthop of an Internet connection, then enable SD-WAN and use the SD-WAN probing settings (see SD-WAN).

      • Internet connection - Select the required Internet connection.

        Note - This option does not support the nexthop probing.

      • VPN Tunnel (VTI) - Select the required VPN Tunnel Interface or the GRE interface (you must configure it in advance).

        Note - This option supports the nexthop probing.

      • Interface - Select the required Local Network interface (LAN, DMZ).

        Notes:

        • In the R81.10.X releases, this option is available starting from the R81.10.05 version.

        • This option does not support the nexthop probing.

    3. Click OK.

  8. Optional: In the Comment field, enter an applicable text.

  9. In the Metric field, enter a value:

    Notes:

    • Enter a value between 101 and 200.

    • The lower the value, the higher the priority.

  10. Optional: In the Probing method field, select the applicable option:

    • Off - route probing is disabled.

    • On - route probing is enabled.

    Configure the applicable nexthop servers to probe. For example:

    • dns.google.com

    • dns.cloudflare.com

    • dns.opendns.com

    Notes:

    • Starting from R81.10.10, the probing feature supports only default static routes and destination-based routes.

      Policy-based routes are supported starting from R81.10.15.

    • If the Next Hop type is an IP address,

      For destination-based routes, the nexthop IP address must be on the same subnet as the destination IP address.

      For example, for a route with a destination to 7.7.7.0/24 and nexthop 192.168.2.3, a probing server must have an IP address from the 7.7.7.0/24 subnet (for example, 7.7.7.10).

    • If the nexthop type is a VTI (or a GRE), the probing server can either be on the subnet of the destination IP address or the IP address of the remote-peer of the tunnel if you want to probe the tunnel.

  11. Optional: In the Advanced Probing Settings section, configure the probing settings:

    • Probing frequency - Interval between pings.

    • Percentage of failed attempts - Threshold to consider the nexthop as unreachable.

    • Max latency - Maximum latency for pings.

    • Reconnection delay - Delay before the appliance starts using this route again after the nexthop becomes reachable again.

    • History timeline size - Size of the probing history timeline in the Route Monitoring window (see Route Monitoring).

    Note - You can hover over the field name to see the icon and hover over it to see the tooltip.

  12. Save the changes:

    • In R81.10.10 and higher versions:

      Click Save.

    • In R81.10.08 and lower versions:

      Click Apply.

Editing an Existing Static Route

  1. From the left navigation panel, click Device.

  2. In the Advanced Routing section, click the Routing Table page.

  3. In the routing table, click the route.

  4. Above the routing table, click Edit.

  5. Change the configuration.

  6. Click Apply.

Deleting an Existing Static Route

  1. From the left navigation panel, click Device.

  2. In the Advanced Routing section, click the Routing Table page.

  3. In the routing table, click the route.

  4. Above the routing table, click Delete.

Enabling or Disabling an Existing Static Route

  1. From the left navigation panel, click Device.

  2. In the Advanced Routing section, click the Routing Table page.

  3. In the routing table, click the route.

  4. Above the routing table, click Enable or Disable.

Route Monitoring

Above the IPv4 Routing table, click Monitor.

The Route Monitoring window opens.

Every row represents a server that the route probes to and its statistics.

Example:

Next Hop

Route Status

Server

Packet Loss

Failures

Min Latency

Avg. Latency

1.1.1.1

Active

dns.google.com

0

0

4

5.7

Each monitored route can have a maximum of 3 rows (one for each server).

Route Status:

  • Active (green)

  • Inactive (red)

  • Reconnecting (orange)

Static Routes and SD-WAN

When SD-WAN is enabled on the appliance (this is the default), SD-WAN routing decision takes priority over all static routes (configured in the Device view > the Advanced Routing section > the Routing Table page) that send traffic through Internet Connections.

This is the default SD-WAN configuration:

  1. The SD-WAN blade is enabled.

  2. Each Internet connection is enabled for SD-WAN.

If you do not want to use SD-WAN, then to send traffic through Internet Connections based on the configured static routes, follow one of these options:

  • Disable the SD-WAN blade:

    Note - This completely disables SD-WAN on the appliance.

    1. Click the Access Policy view > in the Firewall section, click the SD-WAN page.

    2. At the top of the page, move the slider to the left position (near the text "SD-WANblade is enabled").

  • In each specific Internet connection, clear the option This Internet connection will be a part of SD-WAN:

    Note - Use this option to disable SD-WAN only in a specific interface and keep using SD-WAN with other interfaces.

    1. Click the Device view > in the Network section, click the Internet page.

    2. Select the Internet connection and click Edit.

    3. Go to the right tab Advanced.

    4. Expand the last section SD-WAN Settings.

    5. Clear the option This Internet connection will be a part of SD-WAN.