Configure a Logical Router

Log in to
Strata Cloud Manager
.
Select
Manage
Configuration
Device Settings
Routing
Logical Routers
and select the Configuration Scope where you want to create the logical router.
You can select a folder or firewall from your
Folders
or select
Snippets
to configure the logical router in a snippet.
The number of logical routers supported varies based on the firewall model. If you create multiple logical routers for a folder or snippet, verify that the firewalls associated with the folder or snippet support the number of logical routers you configure.
Add Router
.
Enter a descriptive
Name
.
A maximum of 31 characters are supported. The name must start with an alphanumeric character, underscore (
_
), or hyphen (
-
) and can contain a combination of alphanumeric characters, underscore (
_
), or hyphen (
-
). A dot (
.
) or space isn’t supported.
(
Optional
) Configure Equal Cost Multiple Path (ECMP) processing.
Enabling this setting enables the firewall to use up to four equal-cost routes to the same destination.
Enable
ECMP.
Set the
ECMP Max Path
to specify the maximum number of equal-cost paths that can be copied from the RIB to the FIB.
Default is
2
.
2
,
3
, or
4
are supported.
Enable
Symmetric Return
of packets from server to client.
Select Symmetric Return to cause return packets to egress out the same interface on which the associated ingress packets arrived. That is, the firewall will use the ingress interface on which to send return packets, rather than use the ECMP interface. The Symmetric Return setting overrides load balancing. This behavior occurs only for traffic flows from the server to the client.
Enable
Strict Source Path
o ensure that IKE and IPSec traffic originating at the firewall egresses the physical interface to which the source IP address of the IPSec tunnel belongs.
When you enable ECMP, IKE and IPSec traffic originating at the firewall by default egresses an interface that an ECMP load-balancing method determines. Alternatively, you can ensure that IKE and IPSec traffic originating at the firewall always egresses the physical interface to which the source IP address of the IPSec tunnel belongs, by enabling Strict Source Path. You would enable this function when the firewall has more than one ISP providing equal-cost paths to the same destination. ISPs typically perform a reverse Path Forwarding (RPF) check (or a different check to prevent IP address spoofing) to confirm that traffic is egressing the same interface on which it arrived. Because ECMP would choose an egress interface based on the configured ECMP method (instead of choosing the source interface as the egress interface), that wouldn’t be what the ISP expects and the ISP could block legitimate return traffic. In this case, enable Strict Source Path so that the firewall uses the egress interface that is the interface to which the source IP address of the IPSec tunnel belongs, the RPF check succeeds, and the ISP allows the return traffic.
Specify the load-balance
Action
for the logical router.
Balanced Round Robin
(default)—Uses round-robin among the ECMP paths and rebalances paths when the number of paths changes.
IP Hash
—Use a hash of the source and destination IP addresses to determine which ECMP route to use.
If you select this option, can select to
Use Source Address Only
and
Use Source/Destination port for hash
.
IP Modulo
—Uses a hash of the source and destination IP addresses in the packet header to determine which ECMP route to use.
Weighted Round Robin
—Uses round-robin and a relative weight to select from among ECMP paths.
Add
an
Interface
.
Repeat this step to add as many Layer 3, loopback, and tunnel interfaces as needed.
Save
.