Adding routes for Master NGFW Engines and Virtual NGFW Engines

The need to configure routing can change depending on the role of the NGFW Engine and the types of interfaces that have been configured.

Basic routing information for networks directly connected to Master NGFW Engines and Virtual Firewalls is added automatically to both routing and antispoofing based on the IP addresses that you have defined for the interfaces. You must add a default route and any routes through next-hop gateways to networks that are not directly connected to the Master NGFW Engine or Virtual Firewall.

On Master NGFW Engines, routing and antispoofing can only be configured for the Master NGFW Engine’s system communications interfaces. No routes have to be defined if a Master NGFW Engine communicates only in its local IP network.

On Master NGFW Engines that host Virtual Firewalls, you can only add routes to interfaces that have IP addresses. Routing and antispoofing for Virtual Firewalls are configured in the same way as for Single Firewalls.

On Master NGFW Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls, you can only add routes to Normal Interfaces that have IP addresses. It is not possible to add routes to Capture Interfaces or Inline Interfaces on Master NGFW Engines that host Virtual IPS engines or Virtual Layer 2 Firewalls.

Virtual IPS engines and Virtual Layer 2 Firewalls do not communicate directly with other SMC components. You cannot configure routing for Virtual IPS engines and Virtual Layer 2 Firewalls.

To transfer changes to the routing or antispoofing for a Master NGFW Engine, you must refresh the policy on the Master NGFW Engine. To transfer changes to the routing or antispoofing for a Virtual NGFW Engine, you must refresh the policy on the Virtual NGFW Engine.