Destination-Based Routes Overview
When a security device contains multiple virtual routers, the device does not automatically forward traffic between zones that reside in different VRs, even if the Security Policy permits that traffic. To enable traffic to pass from one virtual router to another, you can configure a static route in one virtual router that defines another VR as the next hop for the route. This route can even be the default route for the virtual router. For example, you can configure a default route for the trust-vr with the untrust-vr as the next hop. If the destination in an outbound packet does not match any other entries in the trust-vr routing table, it is forwarded to the untrust-vr.
To create a static route for a network destination, you must enter the IP address and netmask for the destination network, and then select either virtual router or gateway as the next hop:
If the next hop is a virtual router, you must also select the VR that is to be the next hop for the route.
If the next hop is a gateway, you must also enter the interface through which the next hop router is accessed, the IP address of the next hop router, and the metric and tag for the route.
For devices running ScreenOS 5.2, you can also configure gateway tracking to manage the route. When enabled, gateway tracking deactivates a route when the gateway becomes unreachable. When the gateway become reachable again, gateway tracking reactivates the route. Gateway tracking is supported only for destination-based route table entries. For devices running ScreenOS 6.3, destination-based routes supports IPv6.
For instructions for configuring virtual router destination-based route entries, see the Network and Security Manager Online Help.
For security devices running ScreenOS 5.3, you can also configure source-based and source-interface-based routes with next hop as a virtual router within the same security device.