You can now use path monitoring so the firewall
removes static route table entries when the link connection fails
on the firewall interface to which the static route is assigned.
Without path monitoring, if a path failure occurs upstream from
the firewall, but the customer-premises equipment (CPE) keeps the
link artificially active, the firewall can’t detect the failure
and doesn’t update the static route in the route table; the firewall
blackholes the traffic.
To inform the firewall when a static
route is down, use static route removal based on path monitoring to
detect when the path to one or more monitored destinations has gone
down. The firewall can then reroute traffic using an alternative
The firewall performs path monitoring by sending ICMP
ping messages to one or more monitored destinations that you determine
are reliable and reflect the availability of the static route. If
pings to any (or all) of the monitored destinations fail, the firewall
considers the static route down too and removes it from the RIB
and FIB. The firewall selects an alternative static route to the
same destination from the RIB and places it in the FIB. The firewall
can reinstate a static route that has come back up, and then compare
metrics of routes to the same destination to decide which route
goes in the FIB.
Path monitoring is desirable to avoid blackholing
A static or default route.
A static or default route redistributed into a routing protocol.
A static or default route when one peer does not support
BFD. (The best practice is not to enable both BFD and path monitoring
for a single interface.)
A static or default route instead of using PBF path monitoring,
which doesn’t remove a failed static route from the RIB, FIB, or
Enable path monitoring and configure
monitored destinations for a static route. View the RIB and FIB
to verify that the static route is removed.