Forcepoint Routing And Switching
Routing configuration
Applies to:
|
In this topic
|
|
|
Use the Configuration > Routing page to specify:
- Static routes from subnets and client computers through any active appliance interface, except N. If IPv6 is enabled, static IPv6 routes can also be added and imported.
- Module routes from appliance modules through appliance interface C to subnets. IPv6 module routes are not supported.
Configuring static routes
- Static routes can be specified for any active interface on the appliance, except N, which is dedicated to Network Agent and cannot be routed.
- The same route cannot be added for 2 different interfaces on the same module. If this operation is attempted, the appliance displays an error.
- Static routes that are defined for an interface that is later made inactive remain in the routing table, and are displayed in gray to indicate that the routes are inactive.
- Static routes that become invalid because the IP address of the interface changes are disabled and displayed in red.
- Static routes can be added and deleted, but not modified. To modify a route, delete it and add a new route specifying the new values.
- When a static route is added, imported, or deleted, the services associated with the module that manage the specified interface must be restarted. For example, if static routes are added to interface P1, when the additions are complete, all Content Gateway services must be restarted.
- The static route table has a maximum limit of 5000 entries.
Adding static routes
Static routes can be added one at a time, or many at a time using an import file.
When a static route is added, data entered in each field is validated by the appliance, and an error message is displayed if there is an inconsistency in the route.
To add static routes:
1.Go to the Configuration > Routing page, select the IPv4 or IPv6 tab, and click Add/Import under Static Routes.
2.To manually add a single route, select the Add individual route radio button, enter values for all fields, and then click Add Route.
Destination Network | Required.
Specify the subnet IP address for which traffic will be routed. |
Subnet Mask (IPv4) or Subnet prefix length (IPv6) | Required.
The subnet mask or prefix for the network where the clients reside (such as 255.255.0.0, or 64) |
Gateway | Required.
IP address providing access from the proxy subnet to the client subnet. This address must be on the same subnet as the appliance. |
Interface | Required.
The appliance interface to be used for the static route. Only active interfaces are offered in the drop down list. |
To add multiple routes using an import list file:
- Prepare the import file. See Import file specifications, below.
- Select the Import route file radio button.
- Specify the full path and file name, or Browse to locate the file. Click Import Route to import the routes specified in the file.
The appliance reads the file, validates each route, and reports errors for lines that are invalid.
Duplicate route entries are ignored; duplicate entries are not created.
If the number of routes in the file, combined with the number of existing routes exceeds the 5000 route table limit, the import fails. No routes are added and an error message displays.
Import file specifications:
1.The file must be a plain text file. (Most routers export route tables to a plain text file.)
2.The file can contain comment lines. Comment lines begin with “#”.
3.A line that defines a route must include the following 4 fields in the order shown. Each field must be separated by a space.
For IPv4:
- destination netmask default-gateway interface
- Destination is a subnet address or host IP address.
- Netmask determines the proper value of destination.
- Default-gateway is the next hop.
- Interface is the appliance interface through which traffic is routed. The specified interface must be enabled. If it is disabled, the appliance reports an error and does not add the route
For IPv6:
- destination prefix-length default-gateway interface
- Destination is a subnet address or host IP address.
Prefix-length determines the proper value of destination. - Default-gateway is the next hop.
- Interface is the appliance interface through which traffic is routed. The specified interface must be enabled. If it is disabled, the appliance reports an error and does not add the route.
Exporting the route table
- To export the route table to a text file, click Export Table. Use the Browse dialog to specify a location and name for the file.
- All routes in the table, whether enabled or disabled, are exported.
- The file is formatted as described above for import files.
Configuring module routes
- In some deployments it is necessary or desirable to route some Web Security or Email Security traffic through the appliance C interface (typically web and email traffic is routed through separate, dedicated interfaces [P1/P2, E1/E2] and C is reserved for management traffic). However, some sites might want to route authentication (or other) traffic through the C interface. This is accomplished by defining module routes on the Configuration > Routing page.
The module route table has a maximum limit of 5000 entries.
Adding a module route
1.In the Module Route section of the Configuration > Routing page, click Add.
2.Specify a value for each field and click Add Route.
Module | Required. Select a module from the drop down list. The list displays only modules installed on the appliance. The Network Agent module may be installed, but will not appear in the list. |
Destination subnet | Required. Specify the subnet IP address for which traffic will be routed. |
Subnet mask | Required. The subnet mask for the destination subnet. |