Create a Policy-Based Forwarding Rule

Use a PBF rule to direct traffic to a specific egress interface on the firewall, and override the default path for the traffic.
  1. Create a PBF rule.
    When creating a PBF rule you must specify a name for the rule, a source zone or interface, and an egress interface. All other components are either optional or have a default value provided.
    You can specify the source and destination addresses using an IP address, an address object, or a FQDN. For the next hop, however, you must specify an IP address.
    1. Select
      Policies
      Policy Based Forwarding
      and click
      Add
      .
    2. Give the rule a descriptive name in the
      General
      tab.
    3. In the
      Source
      tab, select the following:
      1. Select the
        Type
        Zone
        or
        Interface
        — to which the forwarding policy will be applied, and the relevant zone or interface. If you want to enforce symmetric return, you must select a source interface.
        PBF is only supported on Layer 3 interfaces; loopback interfaces do not support PBF.
      2. (Optional) Specify the
        Source Address
        to which PBF will apply. For example, a specific IP address or subnet IP address from which you want to forward traffic to the interface or zone specified in this rule.
        Use the
        Negate
        option to exclude a one or more source IP addresses from the PBF rule. For example, if your PBF rule directs all traffic from the specified zone to the internet,
        Negate
        allows you to exclude internal IP addresses from the PBF rule. (You can also use
        Negate
        to exclude destination IP addresses you specify in substep 1.d.)
        The evaluation order is top down. A packet is matched against the first rule that meets the defined criteria; after a match is triggered the subsequent rules are not evaluated.
      3. (Optional)
        Add
        and select the
        Source User
        or groups of users to whom the policy applies.
    4. In the
      Destination/Application/Service
      tab, select the following:
      1. Destination Address
        . By default the rule applies to
        Any
        IP address. Use the
        Negate
        option to exclude one or more destination IP addresses from the PBF rule.
      2. Select the Application(s) or Service(s) that you want to control using PBF.
        Application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application. For more details, see Service Versus Applications in PBF.
  2. Specify how to forward traffic that matches the rule.
    If you are configuring PBF in a multi-VSYS environment, you must create separate PBF rules for each virtual system (and create the appropriate Security policy rules to enable the traffic).
    1. In the
      Forwarding
      tab, select the following:
      1. Set the
        Action.
        The options are as follows:
        • Forward
          —Directs the packet to a specific
          Egress Interface
          . Enter the
          Next Hop
          IP address for the packet (you cannot use a domain name for the next hop).
        • Forward To VSYS
          —(On a firewall enabled for multiple virtual systems) Select the virtual system to which to forward the packet.
        • Discard
          —Drop the packet.
        • No PBF
          —Exclude the packets that match the criteria for source/destination/application/service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
        To trigger the specified action at a daily, weekly or non-recurring frequency, create and attach a
        Schedule
        .(Optional) Enable Monitoring to verify connectivity to a target IP address or to the next hop IP address. Select
        Monitor
        and attach a monitoring
        Profile
        (default or custom) that specifies the action when the IP address is unreachable.
      2. (Optional, required for asymmetric routing environments) Select
        Enforce Symmetric Return
        and enter one or more IP addresses in the
        Next Hop Address List
        (you cannot use an FQDN as the next hop). You can add up to 8 next-hop IP addresses; tunnel and PPoE interfaces are not available as a next-hop IP address.
        Enabling symmetric return ensures that return traffic (say, from the Trust zone on the LAN to the internet) is forwarded out through the same interface through which traffic ingresses from the internet.
  3. Save the policies to the running configuration on the firewall.
    Click
    Commit
    .
    The PBF rule is in effect.
    PBF_policy.PNG

Related Documentation