Policy Based Forwarding Forwarding Tab

Select the Forwarding tab to define the action and network information that will be applied to traffic that matches the forwarding policy. Traffic can be forwarded to a next-hop IP address, a virtual system, or the traffic can be dropped.
Field
Description
Action
Select one of the following options:
  • Forward—Specify the next hop IP address and egress interface (the interface that the packet takes to get to the specified next hop).
  • Forward To VSYS—Choose the virtual system to forward to from the drop-down.
  • Discard—Drop the packet.
  • No PBF—Do not alter the path that the packet will take. This option, excludes the packets that match the criteria for source/destination/application/service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
Use Forward or Forward to VSYS as the Action so you can apply a Monitor profile to the traffic. (You can’t apply a Monitor profile when the Action doesn’t forward the traffic.) Monitor profiles monitor the IP address. If connectivity to the IP address fails, Monitor profiles specify the action.
Egress Interface
Directs the packet to a specific Egress Interface
Next Hop
If you direct the packet to a specific interface, specify the Next Hop IP address for the packet.
Monitor
Enable Monitoring to verify connectivity to a target IP Address or to the Next Hop IP address. Select Monitor and attach a monitoring Profile (default or custom, NetworkNetwork ProfilesMonitor) that specifies the action when the IP address is unreachable.
Configure Monitor profiles and enable monitoring so that if the egress interface fails or the route goes down, the firewall takes the action in the profile and minimizes or prevents the service interruption.
Enforce Symmetric Return
(Required for asymmetric routing environments) Select Enforce Symmetric Return and enter one or more IP addresses in the Next Hop Address List.
Enabling symmetric return ensures that return traffic (such as from the Trust zone on the LAN to the Internet) is forwarded out through the same interface through which traffic ingresses from the Internet.
Schedule
To limit the days and times when the rule is in effect, select a schedule from the drop-down. To define new schedules, refer to Settings to Control Decrypted SSL Traffic.

Related Documentation