Route Policies

All Policies displays all the routing policies including Custom Policies and Default Policies. Initially, only the Default Policies are displayed in the Route Policies table when you select All Policies from the View Style menu.

The Route Policies table provides easy pagination for viewing a large number of routing policies. You can navigate a large number of routing policies listed in the Route Policies table by using the navigation control bar located at the top right of the Route Policies table. Navigation control bar includes four buttons. The far left button displays the first page of the table. The far right button displays the last page. The inside left and right arrow buttons moved the previous or next page respectively.

You can enter the policy number (the number listed before the policy name in the # Name column) in the Items field to move to a specific routing policy. The default table configuration displays 50 entries per page. You can change this default number of entries for tables on the System > Administration page.

You can sort the entries in the table by clicking on the column header. The entries are sorted by ascending or descending order. The arrow to the right of the column entry indicates the sorting status. A down arrow means ascending order. An up arrow indicates a descending order.

Static Route Configuration

In SonicOS, a static route is configured through a basic route policy.

To configure a static route, complete the following steps:

Scroll to the bottom of the Network > Routing page.

Click on the Add button. The Add Route Policy dialog displays.

From the Source drop-down menu, select the source address object for the static route, or select Create new address object to dynamically create a new address object. The default is Any.

From the Destination drop-down menu, select the destination address object. The default is Any.

From the Service drop-down menu, select a service object. For a generic static route that allows all traffic types, simply select Any (the default).

From the Gateway drop-down menu, select the gateway address object to be used for the route. The default is 0.0.0.0.

From the Interface drop-down menu, select the interface to be used for the route.

Enter the Metric for the route. The default metric for static routes is one (1). For more information on metrics, see Policy Based Routing .

(Optional) Enter a Comment for the route. This field allows you to enter a descriptive comment for the new static route policy.

(Optional) Select the Disable route when the interface is disconnected checkbox to have the route automatically disabled when the interface is disconnected. This option is selected by default.

(Optional) The Allow VPN path to take precedence option allows you to create a backup route for a VPN tunnel. This option is not selected by default.

By default, static routes have a metric of 1 and take precedence over VPN traffic. The Allow VPN path to take precedence option gives precedence over the route to VPN traffic to the same destination address object. This results in the following behavior when a VPN tunnel:

•

Is active: static routes matching the destination address object of the VPN tunnel are automatically disabled if the Allow VPN path to take precedence option is enabled. All traffic is routed over the VPN tunnel to the destination address object.

•

Goes down: static routes matching the destination address object of the VPN tunnel are automatically enabled. All traffic to the destination address object is routed over the static routes.

To permit WAN acceleration, select the Permit Acceleration checkbox. This option is not selected by default.

The Probe, Disable route when probe succeeds, and Probe default state is UP options configure Probe-Enabled Policy Based Routing. See Probe-Enabled Policy Based Routing Configuration for information on their configuration.

Click OK to add the route.

Probe-Enabled Policy Based Routing Configuration

When configuring a static route, you can optionally configure a Network Monitor policy for the route. When a Network Monitor policy is used, the static route is dynamically disabled or enabled, based on the state of the probe for the policy.

To configure probe-enabled, policy-based routing, follow these steps:

In the Add Route Policy dialog, configure the static route as described in Static Route Configuration .

In the Probe drop-down menu, select the appropriate Network Monitor object or select Create New Network Monitor object… to dynamically create a new object. For more information, see Network > Network Monitor . The default is None.

Typical configurations do not check the Disable route when probe succeeds checkbox, because typically administrators want to disable a route when a probe to the route’s destination fails. This option gives you added flexibility for defining routes and probes.

Select the Probe default state is UP to have the route consider the probe to be successful (that is, in the UP state) when the attached Network Monitor policy is in the UNKNOWN state. This is useful to control the probe-based behavior when a unit of a High Availability pair transitions from IDLE to ACTIVE, because this transition sets all Network Monitor policy states to UNKNOWN.

Click OK to apply the configuration.

A Route Policy Example

The following example walks you through creating a route policy for two simultaneously active WAN interfaces. For this example, a secondary WAN interface needs to be setup on the X3 interface and configured with the settings from your ISP. Next, configure the security appliance for load balancing by checking the Enable Load Balancing on the Network > WAN Failover & LB page. For this example, choose Per Connection Round-Robin as the load balancing method in the Network > WAN Failover & LB page. Click Accept to save your changes on the Network > WAN Failover & LB page.

Click the Add button under the Route Policies table. The Add Route Policy dialog displays.


	NOTE: Do not enable the Allow VPN path to take precedence option for these routing policies. The Allow VPN path to take precedence option gives precedence over the route to VPN traffic to the same destination address object. This option is used for configuring static routes as backups to VPN tunnels. See Static Route Configuration for more information.

Create a routing policy that directs all LAN Subnet sources to Any destinations for HTTP service out of the X1 Default Gateway via the X1 interface :

Select these settings from the Source, Destination, Service, Gateway and Interface drop-down menus respectively.

Use the default 1 in the Metric field.

Enter force http out primary in the Comment field.

Click OK.

Create a second routing policy that directs all LAN Subnet sources to Any destinations for Telnet service out of the X3 Default Gateway via the X3 interface:

Selecting these settings from the Source, Destination, Service, Gateway and Interface drop-down menus respectively.

Use the default 1 in the Metric field.

Enter force telnet out backup into the Comment field.

Click OK.

These two policy-based routes force all sources from the LAN subnet to always go out the primary WAN when using any HTTP-based application, and forces all sources from the LAN subnet to always go out the backup WAN when using any Telnet-based application.

To test the HTTP policy-based route from a computer attached to the LAN interface:

Access the public Web sites http://www.whatismyip.com and http://whatismyip.everdot.org. Both sites display the primary WAN interface’s IP address and not the secondary WAN interface.

To test the Telnet policy-based route, telnet to route-server.exodus.net:

When logged in, issue the who command. It displays the IP address (or resolved FQDN) of the WAN IP address of the secondary WAN interface and not the primary WAN interface.