Normally, when traffic enters the firewall, the ingress
interface virtual router dictates the route that determines the
outgoing interface and destination security zone based on destination
IP address. By
creating a policy-based forwarding (PBF) rule
, you can specify
other information to determine the outgoing interface, including
source zone, source address, source user, destination address, destination
application, and destination service. The initial session on a given
destination IP address and port that is associated with an application
will not match an application-specific rule and will be forwarded
according to subsequent PBF rules (that do not specify an application)
or the virtual router’s forwarding table. All subsequent sessions on
that destination IP address and port for the same application will
match an application-specific rule. To ensure forwarding through
PBF rules, application-specific rules are not recommended.
When necessary, PBF rules can be used to force traffic through
an additional virtual system using the Forward-to-VSYS forwarding
action. In this case, it is necessary to define an additional PBF
rule that will forward the packet from the destination virtual system
out through a particular
egress interface
on the firewall.