This section includes the following topics:This section includes the following topics:
The Routes configuration section describes the firewall’s routing table. Clavister Security Gateway uses a slightly different way of describing routes compared to most other systems. However, we believe that this way of describing routes is easier to understand, making it less likely for users to cause errors or breaches in security.
Routes are configured in the Routes configuration section located in the Routing folder.
General parametersInterface – Specifies which interface packets destined for this route shall be sent through. Network – Specifies the network address for this route. As mentioned previously, you can use both numerical addresses and symbolic network names. Gateway – Specifies the IP address of the next router hop used to reach the destination network. If the network is directly connected to the firewall interface, no gateway address is specified. Local IP Address – The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, the firewall’s interface IP address will be used. Metric - Specifies the metric for this route. Specifies the interface/interfaces on which the firewall shall publish this route via Proxy ARP. One advantage with this form of notation is that you can specify a gateway for a particular route, without having a route that covers the gateway’s IP address or despite the fact that the route that covers the gateway’s IP address is normally routed via another interface. The difference between this form of notation and that most commonly used is that there, you do not specify the interface name in a separate column. Instead, you specify the IP address of each interface as a gateway. |
|
|
The Proxy ARP page of the properties dialog box specifies on which interfaces the current route is to be published via Proxy ARP. In essence, Proxy ARP has the same functionality as publishing ARP items, which may be done in the ARP configuration section. The biggest difference here is that you can, in a simple manner, publish entire networks on one or more interfaces at the same time. Another, slightly less significant difference is that the firewall always publishes the addresses as belonging to the firewall itself; it is therefore not possible to publish addresses belonging to other hardware addresses. Note: You can not Proxy ARP on a VPN interface. |
|
|
The Monitor page of the properties dialog box specifies if this route should be monitored for route changes, such as the disappearance of the gateway. If that happens the firewall will look for another matching route, if this is on another interface a Security/Transport Equivalent interface group need to be defined in the rules. MethodMonitor Interface Link Status - If the interface link status changes to down, the route will be marked as down. Monitor Gateway Using ARP Lookup - If the next hop does not answer on ARP lookups during a specified time, it will be marked as down. For examples on how to configure route fail-over, see Route Fail-Over Scenarios.
|
|
