Static Route Removal Based on Path Monitoring

You can now use path monitoring so the firewall removes static route table entries when the link connection fails on the firewall interface to which the static route is assigned. Without path monitoring, if a path failure occurs upstream from the firewall, but the customer-premises equipment (CPE) keeps the link artificially active, the firewall can’t detect the failure and doesn’t update the static route in the route table; the firewall blackholes the traffic.
To inform the firewall when a static route is down, use static route removal based on path monitoring to detect when the path to one or more monitored destinations has gone down. The firewall can then reroute traffic using an alternative route.
The firewall performs path monitoring by sending ICMP ping messages to one or more monitored destinations that you determine are reliable and reflect the availability of the static route. If pings to any (or all) of the monitored destinations fail, the firewall considers the static route down too and removes it from the RIB and FIB. The firewall selects an alternative static route to the same destination from the RIB and places it in the FIB. The firewall can reinstate a static route that has come back up, and then compare metrics of routes to the same destination to decide which route goes in the FIB.
Path monitoring is desirable to avoid blackholing traffic for:
  • A static or default route.
  • A static or default route redistributed into a routing protocol.
  • A static or default route when one peer does not support BFD. (The best practice is not to enable both BFD and path monitoring for a single interface.)
  • A static or default route instead of using PBF path monitoring, which doesn’t remove a failed static route from the RIB, FIB, or redistribution policy.

Related Documentation