Configure a Logical Router (SCM)

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationNGFW and Prisma AccessDevice SettingsRoutingLogical RoutersConfigurationNGFW and Prisma AccessDevice SettingsRoutingRouters and select the Configuration Scope where you want to create the logical router.

   You can select a folder or firewall from your Folders or select Snippets to configure the logical router in a snippet.

   The number of logical routers supported varies based on the firewall model. If you create multiple logical routers for a folder or snippet, verify that the firewalls associated with the folder or snippet support the number of logical routers you configure.
3. Add Router.
4. Enter a descriptive Name.

   A maximum of 31 characters are supported. The name must start with an alphanumeric character, underscore (_), or hyphen (-) and can contain a combination of alphanumeric characters, underscore (_), or hyphen (-). A dot (.) or space isn’t supported.
5. (Optional) Configure Equal Cost Multiple Path (ECMP) processing.

   Enabling this setting enables the firewall to use up to four equal-cost routes to the same destination.

   1. Enable ECMP.
   2. Set the ECMP Max Path to specify the maximum number of equal-cost paths that can be copied from the RIB to the FIB.

      Default is 2. 2, 3, or 4 are supported.
   3. Enable Symmetric Return of packets from server to client.

      Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. The Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
   4. Enable Strict Source Path o ensure that IKE and IPSec traffic originating at the firewall egresses the physical interface to which the source IP address of the IPSec tunnel belongs.

      When you enable ECMP, IKE and IPSec traffic originating at the firewall by default egresses an interface that an ECMP load-balancing method determines. Alternatively, you can ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs, by enabling Strict Source Path. You would enable this function when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that wouldn’t be what the ISP expects and the ISP could block legitimate return traffic. In this case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs, the RPF check succeeds, and the ISP allows the return traffic.
   5. Specify the load-balance Action for the logical router.

      • Balanced Round Robin (default)—Uses round-robin among the ECMP paths and rebalances paths when the number of paths changes.
      • IP Hash—Use a hash of the source and destination IP addresses to determine which ECMP route to use.
        If you select this option, can select to Use Source Address Only and Use Source/Destination port for hash.
      • IP Modulo—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
      • Weighted Round Robin—Uses round-robin and a relative weight to select from among ECMP paths.
6. Add an Interface.

   Repeat this step to add as many Layer 3, loopback, and tunnel interfaces as needed.
7. Save.