Adding routes for Master Engines and Virtual Engines
The need to configure routing can change depending on the role of the Engine and the types of interfaces that have been configured.
Basic routing information for networks directly connected to Master Engines and Virtual Firewalls is added automatically to both routing and antispoofing based on the IP addresses that you have defined for the interfaces. You must add a default route and any routes through next-hop gateways to networks that are not directly connected to the Master Engine or Virtual Firewall.
On Master Engines, routing and antispoofing can only be configured for the Master Engine’s system communications interfaces. No routes have to be defined if a Master Engine communicates only in its local IP network.
On Master Engines that host Virtual Firewalls, you can only add routes to interfaces that have IP addresses. Routing and antispoofing for Virtual Firewalls are configured in the same way as for Single Firewalls.
On Master Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls, you can only add routes to Normal Interfaces that have IP addresses. It is not possible to add routes to Capture Interfaces or Inline Interfaces on Master Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls.
Virtual IPS engines and Virtual Layer 2 Firewalls do not communicate directly with other Secure SD-WAN Manager components. You cannot configure routing for Virtual IPS engines and Virtual Layer 2 Firewalls.
To transfer changes to the routing or antispoofing for a Master Engine, you must refresh the policy on the Master Engine. To transfer changes to the routing or antispoofing for a Virtual Engine, you must refresh the policy on the Virtual Engine.