Getting started with routing

Routes to directly connected networks are automatically added according to the interfaces defined for each Secure SD-WAN Engine. You must manually add other routes or configure dynamic routing.

When the Secure SD-WAN Engine reads routing definitions, it selects the most specific route and antispoofing definition it finds for each packet. The Secure SD-WAN Engine:

  1. Checks if there is a route defined for the specific destination IP address of the packet (Host elements).
  2. Checks routes to the defined networks (Network elements).
  3. Uses the default route (the Any network element) if no other route matches the packet’s destination address. The default route typically leads to the Internet if the site has Internet access.

If there are overlapping definitions, the more specific one is considered first.

Engines

You must add the default route and routes through next-hop gateways to networks that are not directly connected to the Secure SD-WAN Engine.

IPS engines and Layer 2 Engines

The routing information for IPS engines and Layer 2 Engines is only used for system communications. The inspected traffic is not routed. Inline interfaces are always fixed as port pairs: traffic that enters through one port is automatically forwarded to the other port. For Secure SD-WAN Engines in the IPS and Layer 2 Engine roles, you only need to add a default route or additional routes if one or more SMC components are not directly connected and cannot be reached through the default gateway. If needed, you can add the default route and routes to internal networks that are not directly connected to the IPS or Layer 2 Engine if the networks cannot be reached through the default gateway.

Master Secure SD-WAN Engines and Virtual Secure SD-WAN Engines

Master Secure SD-WAN Engines proxy all communication between Virtual Secure SD-WAN Engines and other SMC components. You do not need to configure routing for Virtual Engines, Virtual IPS engines, or Virtual Layer 2 Engines in order for them to be managed by the SMC.

Antispoofing

Spoofing an IP address means using the IP address of a legitimate (internal) host to gain access to protected resources. The antispoofing configuration is automatically generated based on the routing information of Secure SD-WAN Engines. By default, connection attempts with a source IP address from a certain internal network are only allowed through if they are coming from the correct interface as defined in the routing configuration. As the routing entry is needed for the communications to work, antispoofing rarely needs additional modifications. For more information, see the Forcepoint FlexEdge Secure SD-WAN Product Guide.

Elements used to configure routing

  • Network elements represent a group of IP addresses.
  • Router elements represent next-hop routers.
  • NetLink elements are used for configuring Multi-Link routing. For more information, see the Forcepoint FlexEdge Secure SD-WAN Product Guide.

When interfaces are aggregated as one interface, those interfaces work together as a single interface. For aggregated interfaces in load-balancing mode, make sure that the connected switch supports the link aggregation control protocol (LACP), and that LACP is configured on the switch.