Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Routing Table Entries Overview


Typically, routers are attached to multiple networks and are responsible for directing traffic across these networks. Each router maintains a routing table, which is a list of known networks and directions on how to reach them. While processing an incoming packet on a security device, the router performs a routing table lookup to find the appropriate interface that leads to the destination address.

Each entry in a routing table—called a route entry or route—is identified by the destination network to which traffic can be forwarded. The destination network, in the form of an IP address and netmask, can be an IP network, subnetwork, supernet, or a host. Routing table entries can originate from the following sources:

  • Directly connected networks (the destination network is the IP address that you assign to an interface in Route mode)

  • Dynamic routing protocols, such as OSPF, BGP, or RIP

  • Routes that are imported from other routers or virtual routers

  • Statically configured routes

You can configure three types of static routes: destination-based, source-based, and source-interface-based routing. For each type of static route, you configure the following information:


Source-interface-based routing is supported in ScreenOS 5.1 and later.

  • The interface on the security device on which traffic for the destination network is forwarded.

  • The next-hop, which can be either another virtual router on the security device or a gateway IP address (usually a router address).

  • The protocol from which the route is derived.

  • Preference (ScreenOS 5.1 and later only)—Controls the route to use when multiple routes to the same destination network exist. The lower the preference value of a route, the more likely the route is to be selected as the active route. By default, the preference value is automatically determined by the protocol or the origin of the route. You can modify a preference value from 1 to 255 for each protocol or route origin on a per-virtual router basis.

  • Metric (ScreenOS 5.1 and later only)—Controls the route used when multiple routes for the same destination network with the same preference value exist. The metric value for connected routes is always 0. The default metric value for static routes is 1, but you can specify a different value from 1 to 255 when defining a static route.

  • Keep route active when interface is down (ScreenOS 5.1 and later only)—Select this option to ensure that the route remains active even when the interface link status is down or the interface IP address is removed. By default, this option is disabled for all route entries. To enable this option for a destination-based route entry, you must configure the next-hop as a gateway (not a virtual router).

  • The virtual system (vsys) to which this route belongs.


    In the routing table, you must configure a default route (network address for the security device. You should also configure a route from the device to the IP address of the Network and Security Manager Device Server.

  • Comment (ScreenOS 6.2 and later only)—Enables you to add a description to a static route that you configure. The description can be 1 to 32 characters in length. By specifying the description for a static route, you can identify the traffic that routes through the devices. It also allows you to search for a specific route in a route table when there are many static routes configured on the security device.

For instructions for configuring virtual router static route entries, see the Network and Security Manager Online Help.