FWCloud-UI

# Routing

# Advanced Routing

From FWCloud-UI you can carry out the routing administration. In traditional routing, the route that packets follow is obtained solely on the basis of their destination. It is possible to create more specific routes based on other factors such as source address, firewall marks, traffic type, protocols, access list, packet size, or other criteria. For that, we need to create routing tables and a routing policy, this is what is known as advanced routing or policy routing. From FWCloud-UI we can create and manage these routes and rules with all the power provided by its graphical environment and visual features. We access to these features from the Routing section of the firewalls created in FWCloud-UI.

Routing Section

Routing tables and policy are described in the next sections of this document.

# Routing Tables

We will classify the routes in tables. To create a new table we go to Routing, TABLES and select New table

New Routing Table

In the form presented we can select the table "main", predefined by the system, or create a new custom table. All tables require a unique identifier. For our customized tables we can select a number between 1 and 250. Also they require a name that identifies the table. Optionally we can add a comment in the table definition.

Routing Tables Form

If we select a table we can add routes into it. If the table has no route we can press the New Route button by the "Empty table warning"

First Routing Route

, or alternatively right clicking on the table name and then clicking on New route in the context menu

New Routing Route

We are presented with a form where we need to fill the gateway. All the routes need a gateway, which is the next-hop device to send the packages to. This field only allows IP address objects and can not be left empty. Since the routes only can have one gateway, this field only allow an object, that cannot be deleted because it will leave the rule inconsistent but it can be replaced by other IP address object by drag and drop.

New Routing Route Form

This will create route with the value "(Any)" in the To field. It represents a default route that uses the specified gateway.

Routing Route

In case we are working with a cluster, this rule will have one more field, Apply to. This allows us to select if the table is going to be installed on all the nodes of the cluster, or if we prefer it be installed only on a specific node.

Routing Route in clusters

We can see the rule that will be installed in the router by right clicking on the number of route and clicking Compile selected route

Compiling Routing Route

Compilation Routing Route

In order to adjust the routes to our needs we can make them more specific by modifying the To field.

This field admits more than one object. Here we can use any IP addresses, IP ranges, networks, hosts, groups, VPN connections and even VPN prefixes.

Tuned Routing Route

We can add as many routes as we needed in the routing tables. We can also use any of the visual features of FWCloud-UI to define our routing table, and make it more clear and readable, like copy and paste, moving routes, changing their color, disabling and enabling them and creating groups to contain some of the routes.

Routing Route Options

Tuned Routing Table

# Routing Policy

To specify different paths used to route network traffic depending on the type of traffic or its source address, we need to classify this traffic using routing rules and then tell the system to find the most appropriate route in one routing table or another.

If the policy routing is empty we can create the first rule by pressing the button Create new rule New Routing Rule

Because the rules make use of the routing tables we cannot create a new rule since we have defined at least one routing table (visit Routing Tables in the previous section), otherwise FWCloud-UI will show us the following warning

Routing Rule Error

When creating a new rule we need to select from the drop down list a routing table and specify a FWCloud-UI object to restrict the traffic that will use the selected table to lookup up for the proper route.

Routing Rule Form

The created rule will appear in the routing policy table.

Routing Rule

We can right click on the number of the rules and select Compile selected rule and FWCloud-UI will show us the rule or rules that will be installed.

Routing Rule Compilation

At least we need to have one object in the From field of the rules to act as criteria for selecting traffic. If the rule has only one object in this field then it cannot not be removed. Valid objects for this field are networks, IP addresses, IP ranges, hosts, firewall marks, VPN connections and VPN prefixes

Routing Rules

If the routing policy is created for a cluster of firewalls, there is also an extra field, Apply to, in the policy table. We can select which rules of the table will be installed on all nodes of the cluster, what is the default behaviour, or select which particular node they apply to.

Routing Rules in a cluster

We can create a full policy routing using the visual features that FWCloud-UI provides to us.

Routing Rules Options

Here you have video that shows the "Apply To" feature:

## Compiling and installing

We can compile individual routing rules or routes by selecting them and then right client on the option Compile selected route or Compile selected rule respectively, this will pop up an information window showing the code that will be used to apply the routes and rules in the firewall, but they do not take effect yet.

To install to policy routing and the routing tables we need first to compile and then install the firewall. This is done the same way we did it to compile and install the security policy (review Compile and Install sections of this guide), if the Firewall has a Routing policy or Routing tables defined then they will be installed.

Routing Installation

Routing Installation Result