This chapter provides an overview of the following topics:
Routed Mode Essentials: This section describes the characteristics of a firewall in routed mode.
Best Practices for Routed Mode Configuration: This section discusses some of the best practices that you should consider before you place your threat defense into routed firewall mode.
Fulfilling Prerequisites: In this section, you learn the commands to enable routed firewall mode on a threat defense.
Configuration of the Routed Interface: This section demonstrates the steps to configure routed interfaces with static and dynamic IP addresses.
Validation of Interface Configuration: The last section of this chapter provides useful tips to verify the status of routed interfaces and view the connection events.
The objectives of this chapter are to learn about
Deployment of Secure Firewall in routed firewall mode
Verification of threat defense configurations in routed mode
You can deploy a Secure Firewall threat defense as a default gateway for your network so that the end users can use the threat defense to communicate with a different subnet or to connect to the Internet. You can also deploy a threat defense transparently so that it stays invisible to your network hosts. In short, you can deploy a threat defense in two ways: routed mode and transparent mode. This chapter describes the processes to deploy a threat defense in routed mode. Chapter 5, “Firewall Deployment in Transparent Mode,” discusses the transparent mode.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz enables you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 4-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”
Table 4-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section
Routed Mode Essentials
Best Practices for Routed Mode Configuration
Configuration of the Routed Interface
Validation of Interface Configuration
1. Which of the following statements is true?
Threat defense in transparent mode cannot be configured by a management center.
You can change the firewall deployment mode by using the management center.
You cannot change the firewall mode until you unregister the threat defense from the management center.
When you change the firewall mode, the threat defense saves the running configurations.
2. Which of the following statements is false?
When configured in Layer 3 mode, each data interface on a threat defense is required to be on a different network.
Backing up a security policy configuration on a threat defense is not necessary because the security policies are defined and stored on the management center.
Changing the firewall mode does not affect the existing configurations on a threat defense.
None of these answers are correct.
3. Which of the following commands is used to configure a threat defense from transparent mode to routed mode?
configure firewall routed
configure interface routed
configure transparent disable
4. Which of the following statements is false for IP address configuration?
A threat defense data interface must be configured with a static IP address.
A threat defense can function as a DHCP client as well as a DHCP server.
When you create an address pool for the DHCP server, it must be within the same subnet as the connected interface.
None of these answers are correct.
5. Which of the following commands is used to debug and analyze ping requests?
debug ip icmp
debug icmp trace
debug icmp reply
6. Which of the following commands can be run to determine any interface-related issues?
show interface ip brief
show interface interface_ID
show running-config interface
All of these answers are correct.