Normally, when traffic enters the firewall, the
ingress interface virtual router dictates the route that determines the outgoing interface and destination security zone based on destination IP address. By
creating a policy-based forwarding (PBF) rule

, you can specify other information to determine the outgoing interface, including source zone, source address, source user, destination address, destination application, and destination service. The initial session on a given destination IP address and port that is associated with an application will not match an application-specific rule and will be forwarded according to subsequent PBF rules (that do not specify an application) or the virtual router’s forwarding table. All subsequent sessions on that destination IP address and port for the same application will match an application-specific rule. To ensure forwarding through PBF rules, application-specific rules are not recommended.