Policy Based Forwarding allows you to override the routing table and is commonly used
to specify an alternate path for security or performance purposes.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access
license
Policy Based Forwarding rules allow traffic to take an alternative path from the next
hop specified in the route table, and are typically used to specify an egress
interface for security or performance reasons.
Go to
Manage
Configuration
NGFW and Prisma Access
Network Policies
Policy Based Forwarding
.
Use a Policy Based Forwarding rule to direct traffic to a specific egress interface
and override the default path for the traffic. Before you create a Policy Based
Forwarding rule, make sure you understand that the set of IPv4 addresses is treated
as a subset of the set of IPv6 addresses.
Use the following sections to configure a policy based forwarding rule:
Source
Zones
—
Add
source zones.
Interface
—
Add
source interfaces.
Addresses
—
Add
source addresses, address groups, or
regions and specify the settings.
Users
—
Add
the users and user groups to whom the
policy applies.
Destination
Addresses
—
Add
source addresses, address groups, or
regions and specify the settings.
Application and Services
Application Entities
—Select the applications you would
like to route through alternative paths.
A Policy Based Forwarding rule may be applied before the
firewall has enough information to determine the application.
Therefore, application-specific rules are not recommended for
use with Policy Based Forwarding. Whenever possible, use a
service object.
You cannot use custom applications, application filters, or
application groups in Policy Based Forwarding rules.
Service Entities
—Select the services and service groups
you would like to route through alternative paths.
Forwarding
Action
—You can set the Action to take when matching a
packet by choosing from:
Forward
—Directs the packet to the specified
Egress Interface
.
Discard
—Drops the packet.
No PBF
—Excludes packets that match the
criteria for source, destination, application, or
service defined in the rule. Matching packets use
the route table instead of PBF.
Egress Interface
—Select the network information for where
you want to forward the traffic that matches your Policy Based
Forwarding rule.
Next Hop
IP Address
—Enter an IP address or select an
address object of type IP Netmask to which to forward
matching packets.
FQDN
—Enter an FQDN (or select or create an address
object of type FQDN) to which to forward matching
packets.
None
—No next hop mean the destination IP address
of the packet is used as the next hop. Forwarding fails
if the destination IP address is not in the same subnet
as the egress interface.
Monitor
—Enable monitoring to verify connectivity to a
target IP address or to the Next Hop IP address if no IP address
is specified.
