Showing results for 
Search instead for 
Did you mean: 

some concerns with MFE default route definitions


please let me hear your experiences about this matter: in Cisco ASA you can have for example two default routes to Internet using two ISP's links with different "distance" and when the primary route becomes unavailable the secondary takes place. Current ASA's configuration has a NAT definition with public IP address belonging to the secondary link that is exclusively used for a web service, today everything goes fine incoming request and replies from web server are going over the secondary link. Now I need to replicate that configuration in the MFE then I defined the NAT in the same way as ASA's configuration  and when I tried to add an additional default route in the MFE in the form "destination mask" the system rejects that with an error message. I read about the failover route in Static Routing definitions but my concern is if the MFE firewall will consider the failover link as available even when the primary route is still "alive".

Do you have any experience like this?

Thanks very much in advance for your opinions and suggestions.


2 Replies
Level 14
Report Inappropriate Content
Message 2 of 3

Re: some concerns with MFE default route definitions

JR -

What you are describing sounds to me to be very much like policy-based or protocol-based routing (depending on your familiarity with the term), where routes are created based either on source criteria or protocol criteria. This would allow you to route traffic for your web server, or maybe all of your SMTP mail traffic, via a secondary WAN/Internet connection instead of the default gateway.

This is something where the MFE product is sadly lacking. You can only create static routes based on destination network critera. This works if all of your SMTP traffic is, for example, sent via an external smart host. You can create a static route for that smart host and set the gateway to point to your secondary internet router. But, for static routing, that's about it.

MFE's implemtation of a secondary defatult gateway is for basic link failover. The secondary default gateway only comes into the equation if the probe tests for the primary link show it to be down. Even then, as far as I am aware, it doesn't automatically fail back when the primary link becomes available again - you must instigate a manual failover event (presumably by disconnecting the second WAN router) for traffic to be sent back out via the primary default gateway.


Re: some concerns with MFE default route definitions

Hi Phil, thanks for your reply!

I'm aware of policy based routing well known as PBR in Cisco's world. At first when customer told me about how that web service works I though the same as you, it is PBR! there is no way no surpass the default route with anything than PBR, but surprisingly there is no PBR configured in the ASA firewall. Nevertheless your reply about how to deal with MFE and how to route particular traffic gave an idea and I'll try it asap.

When I have news I promise to post it here.



You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community