Skip to main content



Cisco Defense Orchestrator

Static Routes

A static route is a route from one network to another network that you define and enter manually into the routing table. You might want to use static routes in the following cases:

  • Your network is small and stable and you can easily manage manually adding and changing routes between devices.
  • Your networks use an unsupported router discovery protocol.
  • You do not want the traffic or CPU overhead associated with routing protocols.
  • In some cases, a default route is not enough. The default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the FTD device.
  • You are using a feature that does not support dynamic routing protocols.


  • CDO does not currently support the management, monitoring, or use of Virtual Tunnel Interface (VTI) tunnels on ASA or FTD devices. Devices with configured VTI tunnels can be onboarded to CDO but it ignores the VTI interfaces. If a security zone or static route references a VTI, CDO reads the security zone and static route without the VTI reference. CDO support for VTI tunnels is coming soon.
  • FTD running on software version 7.0 or later allows configuring Equal-Cost Multi-Path (ECMP) traffic zones. When the FTD is onboarded to CDO, it can read but cannot modify the ECMP configuration available in the global VRF routes because it does not allow a route to the same destination network with an identical metric value. You can create and modify ECMP traffic zones through FDM and then read it into CDO. For more information on ECMP, see the "Equal-Cost Multi-Path (ECMP) Routing" section in the "Routing Basics and Static Routes" chapter of Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 7.0 or later.
Related Topics
  • Was this article helpful?