(19 September 2012)
Question
Given something like:
unset flow reverse-route clear-text
set interface "ethernet0/0" zone "Trust"
set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/0 ip manageable
set interface ethernet0/3 zone untrust
set interface ethernet0/2 ip 10.0.0.1/24
set interface ethernet0/3 ip 10.0.1.1/24
set interface ethernet0/2 mip 10.0.0.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
set interface ethernet0/3 mip 10.0.1.10 host 192.168.1.10 netmask 255.255.255.255 vr trust-vr
is there a difference between:
set route 0.0.0.0/0 gateway 10.0.0.254
set route 0.0.0.0/0 gateway 10.0.1.254
and:
set route 0.0.0.0/0 interface ethernet0/0 gateway 10.0.0.254
set route 0.0.0.0/0 interface ethernet0/1 gateway 10.0.1.254
...ie is there a point to including the "interface" specifier in the route command?
Answer
The routes without interface are called gaterway tracking routes. For these routes firewall will do a recurrsive route lookup. Such routes take the best exit interface.
These gateway tracking rotes are not synched in NSRP and you have to manually define them on both the peers.
(Source:My question asked
here)