Policy Based Forwarding allows you to override the routing table and is commonly used
to specify an alternate path for security or performance purposes.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Panorama or Strata Cloud Manager)
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
Policy Based Forwarding rules allow traffic to take an alternative path from the next
hop specified in the route table, and are typically used to specify an egress
interface for security or performance reasons.
Go to ManageConfigurationNGFW and Prisma AccessNetwork PoliciesPolicy Based Forwarding.
Use a Policy Based Forwarding rule to direct traffic to a specific egress interface
and override the default path for the traffic. Before you create a Policy Based
Forwarding rule, make sure you understand that the set of IPv4 addresses is treated
as a subset of the set of IPv6 addresses.
Use the following sections to configure a policy based forwarding rule:
Source
Zones—Add source zones.
Interface—Add source interfaces.
Addresses—Add source addresses, address groups, or
regions and specify the settings.
Users—Add the users and user groups to whom the
policy applies.
Destination
Addresses—Add source addresses, address groups, or
regions and specify the settings.
Application and Services
Application Entities—Select the applications you would
like to route through alternative paths.
A Policy Based Forwarding rule may be applied before the
firewall has enough information to determine the application.
Therefore, application-specific rules are not recommended for
use with Policy Based Forwarding. Whenever possible, use a
service object.
You cannot use custom applications, application filters, or
application groups in Policy Based Forwarding rules.
Service Entities—Select the services and service groups
you would like to route through alternative paths.
Forwarding
Action—You can set the Action to take when matching a
packet by choosing from:
Forward—Directs the packet to the specified
Egress Interface.
Discard—Drops the packet.
No PBF—Excludes packets that match the
criteria for source, destination, application, or
service defined in the rule. Matching packets use
the route table instead of PBF.
Egress Interface—Select the network information for where
you want to forward the traffic that matches your Policy Based
Forwarding rule.
Next Hop
IP Address—Enter an IP address or select an
address object of type IP Netmask to which to forward
matching packets.
FQDN—Enter an FQDN (or select or create an address
object of type FQDN) to which to forward matching
packets.
None—No next hop mean the destination IP address
of the packet is used as the next hop. Forwarding fails
if the destination IP address is not in the same subnet
as the egress interface.
Monitor—Enable monitoring to verify connectivity to a
target IP address or to the Next Hop IP address if no IP address
is specified.
