Getting started with routing

To understand how the NGFW Engine reads routing definitions, look at the network interfaces in the routing or antispoofing configurations.

The SMC automates most of the routing and antispoofing configuration. Much of the configuration is generated automatically based on the IP addresses of the network interfaces.

The Routing pane in the Engine Editor shows the interfaces and a Network element for each network that is directly connected to the NGFW Engine. The routing information is stored on the Management Server. The Network is created based on the IP addresses that you define for each interface.

Use the Display Mode menu at the top of the pane to switch between the traditional tree view and a simple table view where IPv4 and IPv6 routes are shown in separate tables.

In the Routing Tools pane, you can view and create default routes on the Default Route tab, add simple routes on the Add Route tab, or check where packets with a certain IP address are routed on the Query Route tab. To add routes, we recommend you use the right-click menu in the tree view.

Routing decisions are made for each packet by matching from the most specific route definition to the most general. For packets subject to address translation or VPN tunneling, routing is always done after NAT or tunneling is applied using the translated IP addresses.

When the NGFW Engine reads routing definitions, it selects the most specific route and antispoofing definition it finds for each packet. The NGFW Engine:

Checks if there is a route defined for the specific destination IP address of the packet (Host elements).
Checks routes to the defined networks (Network elements).
Uses the default route (the Any network element) if no other route matches the packet’s destination address. The default route typically leads to the Internet if the site has Internet access.

If there are overlapping definitions, the more specific one is considered first.