Configuring OSPF

Open Shortest Path First (OSPF) is a widely used dynamic routing protocol that ensures fast convergence and efficient routing within IP networks. Cisco Secure Firewall (formerly Firepower Threat Defense) supports OSPF configuration through its graphical interface, allowing users to assign router roles, customize advanced parameters, and define OSPF areas with ease.

 

Step 1: Enable the OSPF Process

  • Navigate to the Routing tab in the Device configuration under Device> Device Management > Device
  • Select OSPF from the left-hand menu.

 

  • Check the box to enable Process 1.
  • Under OSPF Role, select the router’s function. The available roles are:
    • Internal Router – Default OSPF behavior within a single area.
    • ABR (Area Border Router) – Connects multiple OSPF areas.
    • ASBR (Autonomous System Boundary Router) – Redistributes routes from other routing domains.
    • ABR & ASBR – Performs both ABR and ASBR functions.

Note: Some configuration options are restricted based on the role selected.

 

 

Step 2: Configure Advanced OSPF Settings

Click Advanced to access additional OSPF settings:

 

  • Router ID – Manually specify a unique 32-bit identifier for the OSPF process.
  • LSA Options – Enable or disable compatibility with MOSPF or RFC 1583.
  • Adjacency Logging – Track adjacency changes and detailed events.
  • Administrative Distances – Customize route preference values:
    • Inter Area (default: 110)
    • Intra Area (default: 110)
    • External (default: 110)
  • LSA Group Pacing – Set the timer for LSA group pacing (default: 240 seconds).
  • Default Route Injection – Optionally enable “Default Information Originate” to advertise a default route. Additional fields such as metric, route map, and metric type become available upon selection.

 

 

Step 3: Define OSPF Areas

Click the Add button under the Area tab to define your OSPF areas:

 

  • OSPF Process – Typically “1” unless multiple processes are needed.
  • Area ID – Use “0” for the backbone area or any valid decimal/hex value for other areas.
  • Area Type – Choose between:
    • Normal
    • Stub
    • NSSA (Not-So-Stubby Area)
  • Available Networks – Select the interfaces or subnets to be included in the OSPF area.
  • Authentication – Optionally enable and configure MD5 or plaintext authentication.
  • Default Cost – Set the default cost for the area.

Once your area configuration is complete, click OK to save the settings.

 

 

Step 4: Configure OSPF Interface Parameters

Once your OSPF process and areas are defined, you can fine-tune interface-level behavior under the Interface tab.

Click Add to configure each interface participating in OSPF:

 

  • Interface – Select the Secure Firewall interface to include in OSPF.
  • Default Cost – Assign the OSPF cost (default is 10).
  • Priority – Determines OSPF DR/BDR election (higher value = higher priority).
  • Hello Interval – Time in seconds between Hello packets (default: 10).
  • Dead Interval – Time in seconds to declare a neighbor down (default: 40).
  • Retransmit Interval – Time between LSA retransmissions (default: 5).
  • Transmit Delay – Delay added to LSA transmission (default: 1).
  • Authentication – Enable authentication (MD5 or plaintext).
  • Enter/Confirm Password – Required if authentication is enabled.
  • Other options:
    • MTU Ignore – Ignore MTU mismatches.
    • Database Filter – Suppress LSA exchange.
    • Hello Multiplier – Adjust Hello frequency.
    • Point-to-Point – Designate point-to-point OSPF link.

These interface-specific parameters are critical for tuning neighbor relationships and ensuring stable OSPF adjacencies.

 

 

Step 5: Redistribute Routes into OSPF

Secure Firewall allows redistribution from other routing processes (e.g., BGP, RIP, connected routes) into OSPF.

Navigate to the Redistribution tab and click Add:

 

  • OSPF Process – Choose the OSPF process receiving redistributed routes.
  • Route Type – Select the source (e.g., Connected, Static, BGP).
  • Use Subnets – Include subnet routes in redistribution (typically checked).
  • Metric Value – Set a metric for redistributed routes.
  • Metric Type – Type 1 (includes internal cost) or Type 2 (external only).
  • Tag Value – Optional route tag for filtering or identification.
  • Route Map – Apply a policy control route map if needed.

Proper redistribution configuration prevents routing loops and allows policy-based control of external prefixes entering OSPF.

 

 

Step 6: Configure OSPF Virtual Links (Optional)

In certain OSPF designs, such as when an area is not directly connected to Area 0 (the backbone), you’ll need a Virtual Link to bridge that connectivity. Secure Firewall makes it easy to configure this using the GUI.

Accessing Virtual Link Configuration

  • Go to Routing > OSPF in the Secure Firewall interface.
  • Click on the Area tab.
  • Use the pencil icon next to the area you want to modify to open the Edit Area window.

 

  • Select the Virtual Link tab.

 

Adding a Virtual Link

Click Add to configure a new virtual link. You’ll need to provide:

 

  • Peer Router – The router ID of the ABR that connects to the backbone area (Area 0).
  • Hello Interval – Default is 10 seconds.
  • Transmit Delay – Typically set to 1 second.
  • Retransmit Interval – Default is 5 seconds.
  • Dead Interval – Default is 40 seconds.
  • Authentication – Optional, but recommended for security:
    • Choose MD5 for stronger protection.
    • Enter the MD5 ID and MD5 Key to secure the OSPF packets exchanged over the virtual link.

Once configured, click OK to apply the settings.

 

 

Step 7: Summarize Routes in OSPF

Route summarization helps reduce routing table size and limits LSA propagation, improving OSPF scalability.

To configure summarization on Secure Firewall:

  • Navigate to the Routing > OSPF section.
  • Click on the Area tab and use the pencil icon next to the area to open Edit Area.

 

  • Go to the Range tab.

 

  • Click Add and define the summary range as a subnet (e.g., 10.1.0.0/16).

 

  • Enable the Advertise checkbox to propagate this range to other areas.
    • If unchecked, the summarized route will be suppressed and not advertised out.

 

Click Save after selecting or creating the range.

 

 

Step 8: Block or Permit Routes Using Prefix Lists

Prefix lists provide granular control over which routes are allowed or denied between OSPF areas.

Create a Prefix List:

  • Go to Objects > Object Management > Prefix List > IPv4 Prefix List.

 

  • Click Add to create a new prefix list.

 

Example Entries:

  • Block Entry:
    • Action: Block
    • Sequence: 10
    • IP Address: 172.16.10.0
  • Permit All:
    • Action: Allow
    • Sequence: 20
    • IP Address: 0.0.0.0/0

 

  • Save your prefix list after adding all necessary entries.

 

 

Step 9: Apply Prefix List to Inter-Area Filtering

  • Go back to Routing > OSPF > InterArea tab.

 

  • Click Add and configure:

 

    • OSPF Process – e.g., 1
    • Area ID – the area to apply the filter to
    • Prefix List – select the one you just created
    • Traffic Direction – choose Inbound or Outbound

Click OK to apply the filter.

 

 

Step 10: Verify via CLI

For deeper inspection, use the Secure Firewall CLI:

  • show running-config router ospf

 

Displays the OSPF configuration including area filter list assignments.

  • show prefix-list detail name

Shows prefix list details including match statistics and hit count.

 

 

Step 11: Filtering Routes with ACLs in OSPF

Secure Firewall provides ACL-based filtering for OSPF routes, allowing you to control which routes are seen or advertised across areas. This can be applied in both inbound and outbound directions.

Create a Standard Access Control List

  • Navigate to Objects > Object Management > Standard Access Control Lists.
  • Click Add Standard Access List to create a new ACL.

 

  • Add rules in order:
    • Block unwanted subnets first (e.g., 10.1.1.0/24)
    • Allow any remaining traffic (e.g., any-ipv4)
  • Click Save when done.

 

Apply the ACL in OSPF Filter Rules

  • Go to Routing > OSPF > Filter Rule.

 

  • Click Add and configure:

 

    • OSPF Process – e.g., 1
    • Access List – select the ACL you created
    • Traffic Direction – In or Out
    • Interface – choose the interface where filtering applies

Click OK to apply.

 

To confirm via CLI:

  • show running-config router ospf
  • show route
  • show access-list name

These commands let you verify distribute-list usage, observe current routing entries, and see ACL match statistics.

 

 

Step 12: Configure OSPF Summary Addresses

If you’re summarizing a large group of networks outside the traditional Area Range feature, Secure Firewall also allows Summary Address configuration for Type 3 LSAs.

How to Configure:

  • Navigate to Routing > OSPF > Summary Address.

 

  • Click Add.

 

  • Choose:
    • OSPF Process
    • Summary Prefix from the available network objects
  • Check the box to Advertise routes that match the address/mask pair.

Click OK to finalize.

 

 

Step 13: OSPF Authentication – Area-Based or Interface-Based

Securing OSPF neighbor adjacencies is essential in environments where route integrity must be protected. Cisco Secure Firewall supports two methods of OSPF authentication:

1. Area-Based Authentication

You can enforce authentication across all interfaces within an OSPF area:

  • Navigate to the OSPF > Area tab.
  • Edit the desired area.

 

  • Enable authentication under the Authentication setting.
  • Choose between:
    • None (no authentication)
    • Plaintext Password
    • MD5 Authentication (recommended)

This approach simplifies management when all interfaces in an area share the same credentials.

 

2. Interface-Based Authentication

For granular control, configure OSPF authentication on individual interfaces:

  • Go to the Interface tab under OSPF.

 

  • Click Add to add an interface or edit an existing interface.

 

  • Set the Authentication type.
  • Enter the password or MD5 key values as needed.

 

This method is useful when only specific links need authentication or when varying credentials per interface are required.

Tip: Always prefer MD5 over plaintext authentication for stronger security.

 

Summary

Cisco Secure Firewall simplifies the process of deploying OSPF through its intuitive GUI. By clearly defining the router role, fine-tuning advanced parameters, and logically segmenting your network into OSPF areas, you ensure optimal path selection and robust routing performance. Configuring OSPF on Cisco Secure Firewall is a comprehensive process that can be fully managed through the GUI, from core process setup to advanced tuning and redistribution. With support for virtual links, multiple router roles, and rich interface-level options, Secure Firewall provides a flexible and robust platform for dynamic routing in enterprise networks.

Make sure to review your topology and route redistribution needs carefully, especially when configuring ABRs or ASBRs. Consistent OSPF design leads to faster convergence, better scalability, and improved fault tolerance.

With Cisco Secure Firewall, OSPF configuration is both visual and granular:

  • Enable the process and define router roles
  • Adjust global parameters in the Advanced tab.
  • Define OSPF areas and assign networks.
  • Configure per-interface options, including timers and authentication.
  • Redistribute routes with control over metrics and filtering.
  • Build and fine-tune OSPF processes.
  • Set up route redistribution, virtual links, and interface-level settings.
  • Summarize routes and filter inter-area traffic using prefix lists.
  • ACL-based filtering per interface and direction
  • Prefix list control for area-based route filtering
  • Summarization options for both Area Ranges and Summary Addresses
  • Enabling and customizing OSPF processes
  • Interface-level controls and route redistribution
  • Virtual links and summarization
  • Prefix list and ACL filtering
  • Area and interface-based authentication

This modular setup lets you build scalable, secure OSPF environments with precise control over how routes are learned and propagated across your network.

 

 

Configuring EIGRP

The Enhanced Interior Gateway Routing Protocol (EIGRP) is a classic IGP used widely in enterprise networks due to its speed, scalability, and flexibility. While traditionally associated with routers, EIGRP is also fully supported in Cisco Secure Firewall Threat Defense (FTD) from version 7.x onwards.

Now we will walk through configuring EIGRP in Secure Firewall 7.6 using the Firepower Management Center (FMC) GUI. We’ll cover everything from the basic routing process to advanced features like redistribution and authentication.

1. Enable and Configure the EIGRP Routing Process

To begin, you’ll need to enable EIGRP under your FMC device’s routing configuration.

Steps:

  • Login to FMC
  • Navigate to Devices > Device Management

 

  • Select your target firewall device.

 

  • Click Routing tab and choose EIGRP on the left-hand pane.

 

  • Check the box next to Enable EIGRP

 

  • AS Number: Enter your EIGRP Autonomous System number (e.g., 300).

 

  • Add at least one network object to the Selected Networks/Hosts table.

 

  • Optionally, you can enable passive intervaces by checking the box for Passive Interface and moving interfaces to the Selected Interfaces column

 

 

2. Define EIGRP Interfaces & Networks

  • Navigate to the Advanced tab of the EIGRP configuration

 

  • Router ID: Optional but recommended for stability (e.g., 1.1.1.1).
  • Optionally check the Log Neighbor Changes box for easier troubleshooting.
  • Click Save.

 

 

3. Configure Static EIGRP Neighbor Adjacency

Once configuration is pushed, you can verify EIGRP neighbor formation from the FMC GUI.

Steps:

  • Go to Devices > Device Management.
  • Click on the target firewall and go to Routing > EIGRP > Neighbors.
  • Click Add to add a neighbor

 

  • Add the Interface and Neighbor you would like to form a neighborship with. This will define the static neighbor.

 

  • Click Save 

 

 

4. EIGRP ↔ OSPF Route Redistribution

Many networks run hybrid routing domains. FMC allows GUI-based redistribution between EIGRP and OSPF.

Steps:

  • Go to Routing > EIGRP and then move to the Redistribution tab.
  • Click + Add:

 

    • From Protocol: Select OSPF
    • Choose the Process ID
    • Optionally add OSPF Redistribution type (Internal, External1, External2, Nssa-External1, and Nssa-External2)
    • You can optionally configure metrics such as Bandwidth, Delay Time, Reliability, Loading, and MTU 

 

  • To filter what to reditribute, configure a route map under Route Map:
    • Choose an existing route map from the drop-down or click on + to add a new route map.

 

      •  Name the route map
      • Add which routes to block and allow. You may filter based on security zones/interfaces, IPv4 access lists, IPv6 access lists, IPv4 prefix lists, IPv6 prefix lists, next hop, route source, AS Path (BGP), Community List (BGP), Policy List (BGP), tag values, metric route values, and route type.
      • Click Save to add the route map

 

    • Leave blank to redistribute all OSPF routes into EIGRP.
  • Click Save.

 

 

5. EIGRP ↔ BGP Route Redistribution

To integrate EIGRP with internet edge or MPLS routing, redistribute BGP into EIGRP and vice versa.

Steps:

  • Go to Routing > Redistribution, and click + Add.
  • Set:
    • From Protocol: BGP
    • Cofnigure the optional metrics such as BandwidthDelay TimeReliabilityLoading, and MTU.
  • Under Route Map, define filters if needed (e.g., allow only default route).
  • Click Save.

Be careful to prevent routing loops. Use route-maps or distribute-lists as needed.

 

 

6. EIGRP Authentication (MD5)

Authentication prevents unauthorized devices from participating in your EIGRP domain. Secure Firewall supports MD5-based EIGRP authentication.

Steps:

  • Go to Routing > EIGRP, and navigate to the Interfaces tab.
  • Click Add to add an interface
  • Add the EIGRP interface from the Interface drop-down to choose which interface to enable EIGRP on.
  • You may optionally configure the Hello Interval, Hold Time, and Delay Time on the interface
    • By default, the Split Horizon box is checked.
  • Check the box for Enable MD5 Authentication and configure the following:
    • Key Type: The options will be NoneUnencrypted, and Auth Key
    • Key ID: Numeric (e.g., 1)
    • Key String: Your shared password
  • Click Ok to close the Add Interface dialog window
  • Click Save.

Ensure all EIGRP peers have matching key IDs and passwords.

 

 

7. EIGRP Route Summarization

Note: Summarization is configured outbound on a specific interface. It only applies to routes originating from that interface.

Steps:

  • Go to Routing > EIGRP
  • Click the Summary Address tab where you will configure the summary addresses for each interface which EIGRP advertises routes.
  • Click + Add to add a summarization and configure the following:
    • Interface: Select the interface on which the summary will be sent.
    • Network: Enter the summarized prefix (e.g., 10.0.0.0/8).
    • Administrative Distance: Enter the administrative distance of the summary route. Valid ranges are from 1 to 255.
  • Click Save.

 

 

Troubleshooting Tips

  • Use Device CLI via FMC under Device > Threat Defense CLI
  • Choose the device you want to issue commands from the Device dropdown and run the following commands: 
    • show eigrp neighbors
    • show eigrp topology
    • show ip route eigrp
  • Validate routing tables and neighbor adjacency.
  • Use the Events tab for logs if routes aren’t appearing.

EIGRP configuration on Cisco Secure Firewall 7.6 is now fully supported via the GUI, allowing for flexible IGP deployment without diving into CLI. Whether you’re integrating with OSPF, BGP, or using EIGRP for east-west traffic in a DMZ or branch deployment, this streamlined GUI-based method makes EIGRP administration easier than ever.

Note: Always document your redistribution policies and authentication settings to prevent misconfigurations or security gaps.

 

 

Configuring RIP

Routing Information Protocol (RIP) is supported on Cisco Secure Firewall and can be easily configured through the device’s graphical interface. We will walk through enabling RIP, setting the version, advertising networks, and tuning additional options like passive interfaces and route redistribution.

Step 1: Enable RIP

  • Navigate to Device> Device Management and edit the device you want to configure routing on.
  • Navigate to the Routing tab and select RIP from the list of routing protocols on the left

 

  • Begin by checking the box labeled Enable RIP.
  • You’ll be presented with several configuration options:
    • RIP Version: You can specify which RIP versions to send and receive. It’s recommended to use version 2, as version 1 is outdated and rarely used in modern networks.
    • Generate Default Route: Check this box if you want the Secure Firewall to advertise a default route (0.0.0.0/0) to its RIP neighbors.
    • Enable Auto Summary: This option allows RIP to summarize routes to their classful boundaries. Disable it if you’re working in a discontiguous network environment.

 

 

Step 2: Advertise Networks

  • Under the Networks tab, you can define which IP networks to advertise via RIP.
  • Simply select networks from the Available Network list (e.g., 10.0.0.0/8, 192.168.0.0/16, etc.) and add them to the Selected Network box. These will be the networks that RIP advertises to peers.

 

 

Step 3: Configure Passive Interfaces

In some cases, you may not want RIP updates to be sent out certain interfaces—for example, interfaces connected to end-user devices or untrusted networks.

  • Navigate to the Passive Interface tab.
    • You can designate interfaces (e.g., diagnostic) as passive. RIP will not send updates out of these interfaces, although it can still receive them.
    • Move the interfaces you wish to configure as passive interfaces to the Selected Interfaces table.

 

 

Step 4: Redistribute Other Routes

  • The Redistribution tab allows you to redistribute routes from other routing protocols (like OSPF or BGP) into RIP.
  • While the tab initially displays “No records to display,” you can click Add to configure:

 

    • Protocol: Protocol to redistribute from (e.g., OSPF, BGP)
    • Process ID, AS Number (if applicable)
    • Match conditions
    • Metric to assign to redistributed routes
    • Optional Route Map for more granular control
  • This is essential when RIP needs visibility into routes learned via other protocols on the Secure Firewall.

 

RIP configuration on Cisco Secure Firewall is straightforward, but flexible enough to meet common deployment needs. By carefully selecting RIP versions, advertising the right networks, and configuring redistribution and passive interfaces, you can ensure clean and effective route propagation in your network.

 

 

Configuring Static Routes

Static routes are essential when you need to explicitly define a path for traffic to reach a specific network. On Cisco Secure Firewall, you can add both IPv4 and IPv6 static routes using the GUI in a straightforward way.

Step 1: Navigate to the Static Route Configuration Page

  • Navigate to Device> Device Management and edit the device you want to configure the static route on
  • Go to the Routing tab
  • In the left-hand navigation pane, click on Static Route.

 

 

Step 2: Add a Static Route

  • Then, click Add Route to begin configuring a new static route.

 

  • Configure the following for the static route:
    • Type: Choose either IPv4 or IPv6 based on your route type.
    • Interface: Select the outgoing interface that will be used to reach the destination network.
    • Available Network: Pick one or more destination networks from the predefined object list and click Add to move them to the Selected Network pane.
    • Gateway: Enter the next-hop IP address that should be used for routing packets to the destination network.
    • Metric: Define a metric between 1–254 to influence route preference (lower values are preferred). The default value is 1.
    • Tunneled (Optional): Optionally check this if the route should be tunneled for VPN traffic. This setting applies only to default routes.
    • Route Tracking (Optional): This is for IP SLA Tracking which we will configure later in this post.

 

Considerations:

  • Make sure your gateway IP is reachable through the selected interface.
  • Use route tracking for failover scenarios to dynamically remove unreachable static routes.
  • Keep your metrics consistent if you’re balancing static routes with dynamic protocols like OSPF or BGP.
  • By carefully defining static routes in Cisco Secure Firewall, you can ensure reliable and deterministic path selection for your traffic, especially in environments where dynamic routing isn’t ideal.

 

 

Configuring IPv6 Routing

IPv6 adoption continues to rise, and configuring your Cisco Secure Firewall to support IPv6 routing protocols is an essential part of modern enterprise deployments. Whether you’re using static routing, BGP, EIGRP, or OSPFv3, Secure Firewall offers robust tools via its management interface to integrate IPv6 seamlessly into your network.

Static IPv6 Routing

To configure static IPv6 routes on Secure Firewall:

  • Navigate to Devices > Device Management and select the device you would like to configure
  • Go to Routing > Static Route.
  • Click Add Route.

 

  • In the Add Static Route Configuration window:
    • Choose the IPv6 radio button at the top.
    • Select the Interface for the route.
    • Choose the destination network from the Available Network list or create a new object.
    • Specify the IPv6 Gateway and Metric.
    • Optionally check the box for Tunneled if the route is for VPN traffic
  • Click OK to apply.

This interface mirrors IPv4 static route configuration, ensuring consistency in management while supporting dual-stack environments.

 

 

Configuring BGP for IPv6

To enable Border Gateway Protocol (BGP) for IPv6:

  • Go to Devices > Device Management and edit the device you want to configure
  • Navigate to the Routing tab and choose General Settings> BGP
  • Check the box to Enable BGP and configure the AS number.

 

  • Navigate to BGP > IPv6 on the lefthand pane.
  • Check the Enable IPv6 checkbox

 

  • Configure neighbors with their IPv6 addresses under the Neighbor tab just as we did in the IPv4 configuration for BGP.
  • Define aggregate addresses and advertise networks under the Add Aggregate Address and Networks tabs as we did in the IPv4 configuration for BGP.
  • Optionally, configure route redistribution and injection policies under the Redistribution and Route Injection tabs.

Secure Firewall allows you to manage both IPv4 and IPv6 BGP instances under a unified dashboard, simplifying hybrid routing designs.

 

 

Configuring OSPFv3 (OSPF for IPv6)

To configure OSPF for IPv6 (OSPFv3):

  • Navigate to Devices > Device Management and edit the device that you would like to confiugure for OSPFv3
  • Navigate to the Routing tab and select OSPFv3 from the lefthand pane.
  • Check the Enable Process 1 box to enable the OSPFv3 process

 

  • Under the Process section, enable and assign roles to OSPFv3 processes.

 

  • Define Areas, associate interfaces, and configure:
    • Redistribution policies under the Redistribution tab
    • Route summarization under the Summary Prefix tab
    • Route Cost and Virtual Links under the Interface tab

Secure Firewall’s OSPFv3 interface provides granular control over IPv6 route propagation and domain segmentation.

Cisco Secure Firewall provides full support for IPv6 static routing, BGP, EIGRP, and OSPFv3 through its device management interface. With intuitive navigation and protocol-specific tuning, administrators can seamlessly integrate IPv6 into their existing routing infrastructure.

Whether you’re transitioning to a dual-stack model or fully embracing IPv6, Secure Firewall equips you with the tools needed for secure and scalable network operations.

 

 

Configuring IP SLA for Route Failover

In environments where multiple static routes are configured, it’s crucial to provide failover capabilities to maintain network uptime. Cisco Secure Firewall allows this via IP SLA tracking – enabling dynamic route removal when an endpoint becomes unreachable. This guide walks through configuring SLA Monitors and applying them to static routes for route tracking.

Step 1: Navigate to the SLA Monitor Configuration

To begin setting up IP SLA monitoring:

  • Go to Objects > Object Management > SLA Monitor
  • Click Add SLA Monitor in the top-right corner.

 

This opens a new configuration window for creating the SLA monitoring object.

 

 

Step 2: Configure the SLA Monitor Object

In the New SLA Monitor Object window, fill in the required fields:

  • Name – A unique name for the SLA Monitor object
  • Description – (Optional) Notes for identification
  • Frequency – How often the system should ping the monitored IP address (in seconds)
  • SLA Monitor ID – A unique identifier for this SLA monitor
  • Threshold – Ping response threshold in milliseconds
  • Timeout – The maximum allowable ping time (in milliseconds). This should be less than the frequency interval to ensure a response is evaluated before the next ping is sent.
  • Data Size – Leave this at default unless you have specific requirements
  • Number of Packets – Number of pings to send per check
  • Monitor Address – The IP address to monitor for availability
  • Zones/Interfaces – Select the zones or interfaces this SLA will monitor from

Once complete, click Save.

 

 

Step 3: Apply SLA Monitor to a Static Route

After configuring the SLA Monitor, integrate it into a static route:

  • Navigate to Devices > Device Management and edit the link you would like to use.
  • Navigate to the Routing tab and select Static Route from the lefthand pane.
  • Edit an existing static route or create a new one.
  • In the Edit Static Route Configuration window:
    • Choose the appropriate Interface
    • Select the Network(s) to route
    • Enter the Gateway IP
    • Set the Metric value
    • Under Route Tracking, select the SLA Monitor you created earlier
  • Click OK to save the route configuration.

 

If the SLA Monitor detects that the target IP is unreachable, the associated static route will be automatically removed, enabling failover to a backup route.

 

 

Step 4: Verifying SLA Monitor Status via CLI

To confirm the SLA monitor is functioning correctly, log into the CLI and run:

show sla monitor operational-state

This command displays the current operational status of each SLA monitor configured on the device.

IP SLA monitoring is a lightweight and effective way to enable route failover on Cisco Secure Firewall. By tracking reachability to a remote IP address and removing routes dynamically when a failure is detected, your network can maintain uptime and route resilience with minimal overhead.