Router objects can be used:
- As the firewall’s default gateway,
- As the gateway in static routes (except for router objects involved in load balancing),
- For specifying the type of routing in filter rules (PBR: Policy Based Routing).
Router objects are defined by a name and at least a gateway used. They may contain one or several gateways used and backup gateways. A mechanism that tests the availability of these gateways makes it possible to provide redundancy – if no responses are received from one or several main gateways, one or several backup gateways will then take over. As soon as the main gateway becomes active again, the switch from the backup gateway to the main gateway will be automatic.
Select a router to view or edit its properties.
|Object name||Name given to the router object when it was created.|
|Comments||Description associated with the router object.|
The fields in the Monitoring section make it possible to define the method and parameters to use to verify the availability of the router object’s gateways.
|Detection method||There are two ways to detect the status of gateways:
This field appears only when the TCP Probe detection method is chosen.
Select the TCP port to test on the gateways that make up the router object.
|Timeout (s)||Indicate the timeout (in seconds) after which a request that has not received a response will be considered a failure.|
|Interval (s)||Indicate the interval (in seconds) between two requests.|
|Failures before degradation||Indicate the number of failed requests before the link is declared degraded or the gateway is declared unreachable.|
SD-WAN SLA (thresholds)
Select this checkbox to show the restrictions on network metrics (latency, jitter, packet loss, etc.) that the router object’s gateway must comply with to guarantee the SLA relating to the router.
Compliance with these values determines the status of the router object’s gateways, therefore the status of the router object itself. These statuses are shown in the dashboard, the SD-WAN monitoring module and the Connections monitoring module.
This metric represents the amount of time that a data packet needs to go from the source to the destination through a network. Though the term is technically inaccurate, the ms that a ping takes to reach its destination is referred to as “latency”.
Indicate the maximum accepted latency (in milliseconds) for the router object’s gateways.
This value must be between 0 and 60000 milliseconds inclusive.
This metric represents how latency changes over time.
Indicate the maximum accepted jitter (in milliseconds) for the router object’s gateways.
This value must be between 0 and 30 milliseconds inclusive.
|Packet loss rate (%)||
This metric represents the percentage of loss that a message can accept (sending without response).
This value must be between 0 and 100 inclusive.
|Unavailability rate (%)||This metric represents the percentage of time that a gateway is unavailable or inactive over the period measured.
This parameter exists mainly to show statistics regarding the availability of gateways.
Prior to configuring a switch when any of the SLA thresholds are not met, we recommend that you check in advance whether these thresholds will not wrongly trigger a switch. To do so, create a router object with the desired SLA thresholds and add it to the end of your security policy in a rule that will never be used. The object will then appear in the Monitoring module, which will allow you to ensure that the right SLA thresholds are selected.
We especially recommend this verification when jitter is the only SLA threshold used because it measures even the most minute changes when they occur.
Tables of gateways used and backup gateways
Adds a gateway.
Deletes the selected gateway.
|Move to the list of backups/Move to the list of main gateways||Allows switching from one gateway in the main table to the backup table or vice versa.|
Both grids contain the following columns:
|Gateway (mandatory)||Clicking on a line in this column will open the objects database to select a host that acts as the router.|
|Weight||Allows a priority to be assigned between the various gateways for the load balancing mechanism. A gateway with a higher weight will therefore be used more often when balancing traffic load.|
|Test target(s)||Host or host group to test in order to determine the connectivity of the gateway. The value selected may be the gateway itself (Test the gateway directly), a host or a group of third-party hosts. The availability test may be disabled for the selected gateway by selecting the value No availability testing.
|(Optional) Comments||Any text.|
Parameters that define the interval between two availability tests (“frequency”), the maximum waiting time for a response (“wait”) and the number of tests to perform before declaring the gateway uncontactable (“tries”) can only be configured via CLI command:
CONFIG OBJECT ROUTER NEW name=<router name> [tries=<int>] [wait=<seconds>] [frequency=<seconds>] update=1.
The default values suggested are 15 seconds for the “frequency” parameter, 2 seconds for the “wait” parameter and 3 for the "tries" parameter.
|Load balancing||The firewall allows distributed routing between the various gateways used through several methods:
|Enable backup gateways||
|Enable all backup gateways when unavailable||If this option is selected, all backup gateways will be enabled as soon as the condition for enabling them has been met. If it is not selected, only the first backup gateway listed will be enabled.|
|If no gateways are available||Select the behavior that the firewall must adopt if all the gateways defined in the router object cannot be contacted:
|Apply||Confirms the router’s configuration.|
|Copy||Allows creating a new router object by duplicating the same characteristics as the edited router.|
|Cancel||Cancels the router’s configuration.|