Router

Router objects can be used:

  • As the firewall’s default gateway,
  • As the gateway in static routes (except for router objects involved in load balancing),
  • For specifying the type of routing in filter rules  (PBR: Policy Based Routing).

Router objects are defined by a name and at least a gateway used. They may contain one or several gateways used and backup gateways. A mechanism that tests the availability of these gateways makes it possible to provide redundancy – if no responses are received from one or several main gateways, one or several backup gateways will then take over.

Select a router to view or edit its properties.

Properties

Object name Name given to the router object when it was created.
Comments Description associated with the router object.

Monitoring

The fields in the Monitoring section make it possible to define the method and parameters to use to verify the availability of the router object’s gateways.

Detection method There are two ways to detect the status of gateways:
  • ICMP: ICMP requests (pings) are sent to gateways, and their statuses are detected based on whether they respond to the pings.
  • TCP Probe: gateway status is detected by connecting to a TCP service hosted by the gateways that make up the router object. When this method is chosen, an additional field will appear, corresponding to the TCP port of the service to be tested (HTTPS by default).
Port

This field appears only when the TCP Probe detection method is chosen.

Select the TCP port to test on the gateways that make up the router object.
The https port is suggested by default.

Timeout (s)

Indicate the timeout (in seconds) after which a ping that has not received a response will be considered a failure.

The default value when a router object is created is 1 second.

Interval (s) Indicate the interval (in seconds) between two pings.
The default value when a router object is created is 5 seconds.
Failures before degradation

Indicate the number of failed pings before the gateway is declared unreachable.

The default value when a router object is created is 5 unsuccessful attempts.

SD-WAN SLA (thresholds)

IMPORTANT

This is an early access feature in SNS 4.5.

You must refer to the Known issues and Limitations and explanations on usage in the SNS 4.5 release notes before enabling this feature.

Select this checkbox to show the restrictions on network metrics (latency, jitter, packet loss, etc.) that the router object’s gateway must comply with to guarantee the SLA relating to the router.
Compliance with these values determines the status of the router object’s gateways, therefore the status of the router object itself. These statuses are shown in the dashboard, the SD-WAN monitoring module and the Connections monitoring module.

Latency (ms)

This metric represents the amount of time that a data packet needs to go from the source to the destination through a network. Though the term is technically inaccurate, the ms that a ping takes to reach its destination is referred to as “latency”.

Indicate the maximum accepted latency (in milliseconds) for the router object’s gateways.

This value must be between 0 and 60000 milliseconds inclusive.

Jitter (ms)

This metric represents how latency changes over time.

Indicate the maximum accepted jitter (in milliseconds) for the router object’s gateways.

This value must be between 0 and 30 milliseconds inclusive.

Packet loss rate (%)

This metric represents the percentage of loss that a message can accept (sending without response).

This value must be between 0 and 100 inclusive.

Unavailability rate (%) This metric represents the percentage of time that a gateway is unavailable or inactive over the period measured.
This parameter exists mainly to show statistics regarding the availability of gateways.

NOTE
Prior to configuring a switch when any of the SLA thresholds are not met, we recommend that you check in advance whether these thresholds will not wrongly trigger a switch. To do so, create a router object with the desired SLA thresholds and add it to the end of your security policy in a rule that will never be used. The object will then appear in the Monitoring module, which will allow you to ensure that the right SLA thresholds are selected.
We especially recommend this verification when jitter is the only SLA threshold used because it measures even the most minute changes when they occur.

Tables of gateways used and backup gateways

Button bar

Add

Adds a gateway.

Delete

Deletes the selected gateway.

Move to the list of backups/Move to the list of main gateways Allows switching from one gateway in the main table to the backup table or vice versa.

Both grids contain the following columns:

Gateway (mandatory) Clicking on a line in this column will open the objects database to select a host that acts as the router.
Weight Allows a priority to be assigned between the various gateways for the load balancing mechanism. A gateway with a higher weight will therefore be used more often when balancing traffic load.
Test target(s) Host or host group to test in order to determine the connectivity of the gateway. The value selected may be the gateway itself (Test the gateway directly), a host or a group of third-party hosts. The availability test may be disabled for the selected gateway by selecting the value No availability testing.

NOTE
We strongly recommend that you use a host group as the test target.

NOTE
If the value No availability testing has been selected for all gateways, the function that enables a switch to backup gateways will be disabled.

(Optional) Comments Any text.

NOTE
Parameters that define the interval between two availability tests (“frequency”), the maximum waiting time for a response (“wait”) and the number of tests to perform before declaring the gateway uncontactable (“tries”) can only be configured via CLI command:
CONFIG OBJECT ROUTER NEW name=<router name> [tries=<int>] [wait=<seconds>] [frequency=<seconds>] update=1.
The default values suggested are 15 seconds for the “frequency” parameter, 2 seconds for the “wait” parameter and 3 for the "tries" parameter.

Advanced properties

Load balancing The firewall allows distributed routing between the various gateways used through several methods:
  • No load balancing: only the first gateway defined in the "Used gateways" and "Backup gateways" tables will be used for routing.
  • By connection: all gateways defined in the "Used gateways" table will be used. The load balancing algorithm is based on the source (source IP address, source port) and the destination (destination IP address, destination port) of the traffic. The rate at which the various gateways are used will be related to their respective weights.
  • By source IP address: all gateways defined in the "Used gateways" table will be used. An algorithm allows balancing routing based on the source of the routed traffic. The rate at which the various gateways are used will be related to their respective weights.
Enable backup gateways
  • When all gateways cannot be reached: the backup gateway(s) will only be enabled when all the gateways used cannot be contacted.
  • When at least one gateway cannot be reached: the backup gateway(s) will be enabled as soon as a gateway used cannot be contacted. This option is grayed out when a single gateway is entered in the table of used gateways.
  • When the number of gateways that can be reached is lower than: the backup gateway(s) will be enabled as soon as the number of contactable gateways used falls below the number indicated. This option is grayed out when a single gateway is entered in the table of used gateways.
Enable all backup gateways when unavailable If this option is selected, all backup gateways will be enabled as soon as the condition for enabling them has been met. If it is not selected, only the first backup gateway listed will be enabled.
If no gateways are available Select the behavior that the firewall must adopt if all the gateways defined in the router object cannot be contacted:
  • Default route: the routes (static or dynamic) defined in the firewall’s routing table will be applied.
  • Do not route: the firewall will not manage packets passing through.
Apply Confirms the router’s configuration.
Copy Allows creating a new router object by duplicating the same characteristics as the edited router.
Cancel Cancels the router’s configuration.