Getting started with routing

Routes to directly connected networks are automatically added according to the interfaces defined for each NGFW Engine. You must manually add other routes or configure dynamic routing.

When the NGFW Engine reads routing definitions, it selects the most specific route and antispoofing definition it finds for each packet. The NGFW Engine:

  1. Checks if there is a route defined for the specific destination IP address of the packet (Host elements).
  2. Checks routes to the defined networks (Network elements).
  3. Uses the default route (the Any network element) if no other route matches the packet’s destination address. The default route typically leads to the Internet if the site has Internet access.

If there are overlapping definitions, the more specific one is considered first.

Firewalls

You must add the default route and routes through next-hop gateways to networks that are not directly connected to the NGFW Engine.

IPS engines and Layer 2 Firewalls

The routing information for IPS engines and Layer 2 Firewalls is only used for system communications. The inspected traffic is not routed. Inline interfaces are always fixed as port pairs: traffic that enters through one port is automatically forwarded to the other port. For NGFW Engines in the IPS and Layer 2 Firewall roles, you only need to add a default route or additional routes if one or more SMC components are not directly connected and cannot be reached through the default gateway. If needed, you can add the default route and routes to internal networks that are not directly connected to the IPS or Layer 2 Firewall if the networks cannot be reached through the default gateway.

Master NGFW Engines and Virtual NGFW Engines

Master NGFW Engines proxy all communication between Virtual NGFW Engines and other SMC components. You do not need to configure routing for Virtual Firewalls, Virtual IPS engines, or Virtual Layer 2 Firewalls in order for them to be managed by the SMC.

Antispoofing

Spoofing an IP address means using the IP address of a legitimate (internal) host to gain access to protected resources. The antispoofing configuration is automatically generated based on the routing information of NGFW Engines. By default, connection attempts with a source IP address from a certain internal network are only allowed through if they are coming from the correct interface as defined in the routing configuration. As the routing entry is needed for the communications to work, antispoofing rarely needs additional modifications. For more information, see the Forcepoint Next Generation Firewall Product Guide.

Elements used to configure routing

  • Network elements represent a group of IP addresses.
  • Router elements represent next-hop routers.
  • NetLink elements are used for configuring Multi-Link routing. For more information, see the Forcepoint Next Generation Firewall Product Guide.

When interfaces are aggregated as one interface, those interfaces work together as a single interface. For aggregated interfaces in load-balancing mode, make sure that the connected switch supports the link aggregation control protocol (LACP), and that LACP is configured on the switch.