Policies > Policy Based Forwarding

Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route that determines the outgoing interface and destination security zone based on destination IP address. By creating a policy-based forwarding (PBF) rule

, you can specify other information to determine the outgoing interface, including source zone, source address, source user, destination address, destination application, and destination service. The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to subsequent PBF rules (that do not specify an application) or the virtual router’s forwarding table. All subsequent sessions on that destination IP address and port for the same application will match an application-specific rule. To ensure forwarding through PBF rules, application-specific rules are not recommended.

When necessary, PBF rules can be used to force traffic through an additional virtual system using the Forward-to-VSYS forwarding action. In this case, it is necessary to define an additional PBF rule that will forward the packet from the destination virtual system out through a particular egress interface

on the firewall.

The following tables describe the policy-based forwarding settings:

Policy Based Forwarding General Tab Policy Based Forwarding Source Tab Policy Based Forwarding Destination/Application/Service Tab Policy Based Forwarding Forwarding Tab

Looking for more?

See Policy-Based Forwarding

Policy Based Forwarding General Tab

Select the General tab to configure a name and description for the PBF policy. A tag can also be configured to allow you to sort or filter policies when a large number of policies exist.

Field	Description
Name	Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description	Enter a description for the policy (up to 255 characters).
Tag	If you need to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.

Policy Based Forwarding Source Tab

Select the Source tab to define the source zone or source address that defines the incoming source traffic to which the forwarding policy will be applied.

Field	Description
Source Zone	To choose source zones (default is any), click Add and select from the drop-down. To define new zones, refer to Network > Zones. Multiple zones can be used to simplify management. For example, if you have three different internal zones (Marketing, Sales, and Public Relations) that are all directed to the untrusted destination zone, you can create one rule that covers all cases. Only Layer 3 type zones are supported for policy-based forwarding.
Source Address	Click Add to add source addresses, address groups, or regions (default is any). Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings.
Source User	Click Add to choose the source users or groups of users subject to the policy. The following source user types are supported: any —Include any traffic regardless of user data. pre-logon —Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in. known-user —Includes all authenticated users, which means any IP with user data mapped. This option is equivalent to the “domain users” group on a domain. unknown —Includes all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest level access to something because they will have an IP on your network, but will not be authenticated to the domain and will not have IP address-to-user mapping information on the firewall. Select —Includes selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users. If you are using a RADIUS server and not the User-ID Agent, the list of users does not display; you must enter user information manually.

Policy Based Forwarding Destination/Application/Service Tab

Select the Destination/Application/Service tab to define the destination settings that will be applied to traffic that matches the forwarding rule.

Field	Description
Destination Address	Click Add to add destination addresses, address groups, or regions (default is any). By default, the rule applies to Any IP address. Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings.
Application/Service	Select specific applications or services for the PBF rule. To define new applications, refer to Defining Applications. To define application groups, refer to Objects > Application Groups. Application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application. For details, see https://paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf.html . If you are using application groups, filters, or container in the PBF rule, you can view details on these objects by holding your mouse over the object in the Application column, clicking the down arrow and selecting Value. This enables you to easily view application members directly from the policy without having to go to the Object tabs.

Field

Description

Destination Address

Click Add to add destination addresses, address groups, or regions (default is any). By default, the rule applies to Any IP address. Select from the drop-down, or click Address, Address Group, or Regions at the bottom of the drop-down, and specify the settings.

Application/Service

Select specific applications or services for the PBF rule. To define new applications, refer to Defining Applications. To define application groups, refer to Objects > Application Groups.

Application-specific rules are not recommended for use with PBF. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application. For details, see https://paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/pbf.html

If you are using application groups, filters, or container in the PBF rule, you can view details on these objects by holding your mouse over the object in the Application column, clicking the down arrow and selecting Value. This enables you to easily view application members directly from the policy without having to go to the Object tabs.

Policy Based Forwarding Forwarding Tab

Select the Forwarding tab to define the action and network information that will be applied to traffic that matches the forwarding policy. Traffic can be forwarded to a next-hop IP address, a virtual system, or the traffic can be dropped.

Field	Description
Action	Select one of the following options: Forward —Specify the next hop IP address and egress interface (the interface that the packet takes to get to the specified next hop). Forward To VSYS —Choose the virtual system to forward to from the drop-down. Discard —Drop the packet. No PBF —Do not alter the path that the packet will take. This option, excludes the packets that match the criteria for source/destination/application/service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
Egress Interface	Directs the packet to a specific Egress Interface
Next Hop	If you direct the packet to a specific interface, specify the Next Hop IP address for the packet.
Monitor	Enable Monitoring to verify connectivity to a target IP Address or to the Next Hop IP address. Select Monitor and attach a monitoring Profile (default or custom) that specifies the action when the IP address is unreachable.
Enforce Symmetric Return	(Required for asymmetric routing environments) Select Enforce Symmetric Return and enter one or more IP addresses in the Next Hop Address List. Enabling symmetric return ensures that return traffic (say, from the Trust zone on the LAN to the Internet) is forwarded out through the same interface through which traffic ingresses from the Internet.
Schedule	To limit the days and times when the rule is in effect, select a schedule from the drop-down. To define new schedules, refer to Settings to Control Decrypted SSL Traffic.

Document:PAN-OS® Web Interface Reference Guide

Policies > Policy Based Forwarding

Related Documentation

Document:PAN-OS® Web Interface Reference Guide

Policies > Policy Based Forwarding

Related Documentation

Create a Policy-Based Forwarding Rule

Use Case: PBF for Outbound Access with Dual ISPs

Policies > DoS Protection

Policy-Based Forwarding

Policies > Security

Policies > Application Override

Components of a Security Policy Rule

Policies > Decryption

Create a Security Policy Rule

Policies > NAT