I figured if we had this issue maybe others have a similar need and would find this helpful.
This configuration can be used in any case where you would like all traffic routed to the UTM except traffic destined to 1 IP address. In our case that 1 IP is our voip server. There is a bandwidth advantage as traffic routed in this way only uses bandwidth at the remote RED location and the 1 IP destination; no bandwidth is being utilized at the UTM site that hosts the RED. Also the latency is lower for the same reason, traffic is send straight to the destination, no round trip to the UTM site hosting the RED.
To set this up change the Operation Mode to Standard/Split. Then you create a network group that contains definitions for all networks that do not contain your destination IP.
For example assume your destination IP is 4.4.196.89 you would need the following definitions:
128.0.0.0/1
65.0.0.0/2
33.0.0.0/3
17.0.0.0/4
9.0.0.0/5
5.0.0.0/6
1.0.0.0/7
3.0.0.0/8
4.128.0.0/9
4.65.0.0/10
4.33.0.0/11
4.17.0.0/12
4.9.0.0/13
4.5.0.0/14
4.1.0.0/15
4.3.0.0/16
4.4.0.0/17
4.4.128.0/18
4.4.224.0/19
4.4.208.0/20
4.4.200.0/21
4.4.192.0/22
4.4.198.0/23
4.4.197.0/24
4.4.196.128/25
4.4.196.0/26
4.4.196.96/27
4.4.196.64/28
4.4.196.80/29
4.4.196.92/30
4.4.196.90/31
4.4.196.88/32
You are basically defining half of all remaining undefined IPs with each rule until there is only one left. Technically you could do this for more than one IP you just need more rules. I feel there should be a simpler way to accomplish this, but so far I haven't seen a way. It's been working well so far for us, we made this change when UTM9 was released so a little over a month with no issues so far. This config is currently deployed on 40 REDs. Voip is working flawlessly and all other traffic gets sent to the Firewall.
This thread was automatically locked due to age.
