Create a Policy-Based Forwarding Rule
- Create a PBF rule.When creating a PBF rule you must specify a name for the rule, a source zone or interface, and an egress interface. All other components are either optional or have a default value provided.You can specify the source and destination addresses using an IP address, an address object, or a FQDN. For the next hop, however, you must specify an IP address.
- Selectand clickPoliciesPolicy Based ForwardingAdd.
- Give the rule a descriptive name in theGeneraltab.
- In theSourcetab, select the following:
- Select theType—ZoneorInterface— to which the forwarding policy will be applied, and the relevant zone or interface. If you want to enforce symmetric return, you must select a source interface.PBF is only supported on Layer 3 interfaces; loopback interfaces do not support PBF.
- (Optional) Specify theSource Addressto which PBF will apply. For example, a specific IP address or subnet IP address from which you want to forward traffic to the interface or zone specified in this rule.Use theNegateoption to exclude a one or more source IP addresses from the PBF rule. For example, if your PBF rule directs all traffic from the specified zone to the internet,Negateallows you to exclude internal IP addresses from the PBF rule. (You can also useNegateto exclude destination IP addresses you specify in substep Step 4.)The evaluation order is top down. A packet is matched against the first rule that meets the defined criteria; after a match is triggered the subsequent rules are not evaluated.
- (Optional)Addand select theSource Useror groups of users to whom the policy applies.
- In theDestination/Application/Servicetab, select the following:
- Destination Address. By default the rule applies toAnyIP address. Use theNegateoption to exclude one or more destination IP addresses from the PBF rule.
- Select the Application(s) or Service(s) that you want to control using PBF.Application-specific rules are not recommended for use with PBF because PBF rules may be applied before the firewall has enough information to determine the application. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application. For more details, see Service Versus Applications in PBF.
- Specify how to forward traffic that matches the rule.
- In theForwardingtab, select the following:
- Set theAction.The options are as follows:
- Forward—Directs the packet to a specificEgress Interface. Enter theNext HopIP address for the packet (you cannot use a domain name for the next hop).
- Forward To VSYS—(On a firewall enabled for multiple virtual systems) Select the virtual system to which to forward the packet.
- Discard—Drop the packet.
- No PBF—Exclude the packets that match the criteria for source/destination/application/service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.To trigger the specified action at a daily, weekly or non-recurring frequency, create and attach aSchedule.
- (Optional) Enable Monitoring to verify connectivity to a target IP address or to the next hop IP address. SelectMonitorand attach a monitoringProfile(default or custom) that specifies the action when the IP address is unreachable.
- (Required for asymmetric routing environments; otherwise, optional) SelectEnforce Symmetric Returnand enter one or more IP addresses in theNext Hop Address List(you cannot use an FQDN as the next hop). You can add up to 8 next-hop IP addresses; tunnel and PPoE interfaces are not available as a next-hop IP address.Enabling symmetric return ensures that return traffic (say, from the Trust zone on the LAN to the internet) is forwarded out through the same interface through which traffic ingresses from the internet.
- Save the policies to the running configuration on the firewall.ClickCommit. The PBF rule is in effect.
Use Case: PBF for Outbound Access with Dual ISPs
Use Case: PBF for Outbound Access with Dual ISPs In this use case, the branch office has a dual ISP configuration and implements PBF for ...
Policy Based Forwarding Forwarding Tab
Policy Based Forwarding Forwarding Tab Select the Forwarding tab to define the action and network information that will be applied to traffic that matches the ...
Policies > Policy Based Forwarding
Policies > Policy Based Forwarding Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route that determines the outgoing interface and ...
Policy-Based Forwarding Normally, the firewall uses the destination IP address in a packet to determine the outgoing interface. The firewall uses the routing table associated ...
PBF PBF rules allow traffic to take an alternative path from the next hop specified in the route table, and are typically used to specify ...
Policy Based Forwarding Destination/Application/Service Tab
Policy Based Forwarding Destination/Application/Service Tab Select the Destination/Application/Service tab to define the destination settings that will be applied to traffic that matches the forwarding rule. ...
Create an NPTv6 Policy
Create an NPTv6 Policy Perform this task when you want to configure a NAT NPTv6 policy to translate one IPv6 prefix to another IPv6 prefix. ...
Building Blocks in a Tunnel Inspection Policy
Building Blocks in a Tunnel Inspection Policy Select Policies Tunnel Inspection to add a Tunnel Inspection policy rule. You can use the firewall to inspect ...
DoS Protection Source Tab
DoS Protection Source Tab Select the Source tab to define the source interface(s) or source zone(s), and optionally the source address(es) and source user(s) that ...