How to clean up your firewall routing table

03/26/2020 14 People found this article helpful 488,132 Views

Description

When encountering network connectivity issues, one of the most important for troubleshooting is to check your routing table (Network | Routing). The routing table may contain several redundant or wrong route policies which may lead to packet dropping or misleading. This article aims to discuss the ways of how to clean up the routing table to prevent the potential network problems.

Resolution

1. The customed routing policy will be a redundant policy when the routing configured destination network is the directly connected subnet of the FW, as SonicOS will create the routings for all directly connected subnets from any source by default.
E.g.1: The destination of the routing #6 is X0:V50 Subnet which is the directly connected subnets of SonicOS. Routing #5 is the routing which SonicOS has already created for any source to this subnet.

E.g.2: All destination objects which are the same subnets as the ones associated with interface configurations. In the following route illustration, the destination network on vlan 13 and the gateway subnet on vlan 2000 are configured on the same interface, this is wrong because the firewall's own configurations can route between them.

Recommended Action: delete the routing policy.

2. The routing policy will be a bad policy when the routing configured interface is identified as unassigned in Network > Interface page.
E.g.: The interface of the routing #1 is X9. When going to Network > Interface, X9 is unassigned.

Recommended Action: delete the routing policy.

3. The routing policy will be a bad policy when the configured gateway is in the subnet of the destination network.

Recommended Action: delete the Address Object (172.21.45.0/255.255.255.0) from the destination Address Group (Red X7 Pruebas DC).

4. The routing policy will be a bad policy when using the unexisting AO (address object) as the syntax for the policy. In below picture, the AO X6 Default Gateway does not exist any more.

Recommended Action: delete this invalid routing policy.

5. The routing policy will be a bad policy when the route statement for any source, any destination and any service pointing towards X1 Default Gateway on X1 interface. Such route can disrupt traffic on any other interface.
Static routes needs to have at least a specific source or destination object to be valid. In newer versions of SonicOS, the attempted traffic will be dreopped as a SYN Flood.