Create a Policy-Based Forwarding Rule
Use a PBF rule to direct traffic to a specific egress interface on the firewall, and override the default path for the traffic.
- Create a PBF rule.When creating a PBF rule, you must specify a name for the rule, a source zone or interface, and an egress interface. All other components are either optional or have a default value provided.You can specify the source and destination addresses using an IP address, an address object, or a FQDN.
- Select PoliciesPolicy Based Forwarding and click Add.
- Give the rule a descriptive name in the General tab.
- In the Source tab:
- Select the Type—Zone or Interface— to which the forwarding policy will be applied, and the relevant zone or interface. If you want to enforce symmetric return, you must select a source interface.Only Layer 3 interfaces support PBF; loopback interfaces do not support PBF.
- (Optional) Specify the Source Address to which the PBF rule applies. For example, a specific IP address or subnet IP address from which you want to forward traffic to the interface or zone specified in this rule.Click Negate to exclude one or more Source Addresses from the PBF rule. For example, if your PBF rule directs all traffic from the specified zone to the internet, Negate allows you to exclude internal IP addresses from the PBF rule.The evaluation order is top down. A packet is matched against the first rule that meets the defined criteria; after a match is triggered, subsequent rules are not evaluated.
- (Optional) Add and select the Source User or groups of users to whom the policy applies.
- In the Destination/Application/Service tab,
select the following:
- Destination Address. By default the rule applies to Any IP address. Click Negate to exclude one or more destination IP addresses from the PBF rule.
- Add the Application(s) or Service(s) that you want to control using PBF.Application-specific rules are not recommended for use with PBF because PBF rules may be applied before the firewall has enough information to determine the application. Whenever possible, use a service object, which is the Layer 4 port (TCP or UDP) used by the protocol or application. For more details, see Service Versus Applications in PBF.
- Specify how to forward packets that match the rule.
- Select the Forwarding tab.
- Set the Action to take on matching
- Forward—Directs the packet to the specified Egress Interface.
- Forward to VSYS—(On a firewall enabled for multiple virtual systems) Select the virtual system to which to forward the packet.
- Discard—Drops the packet.
- No PBF—Excludes packets that match the criteria for source/destination/application/service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.
- To trigger the specified Action at a daily, weekly, or non-recurring frequency, create and attach a Schedule.
- For Next Hop, select one of
- IP Address—Enter an IP address, or select an address object of type IP Netmask, to which the firewall forwards matching packets. The address object must have a /32 netmask for IPv4 or a /128 netmask for IPv6.
- FQDN—Enter an FQDN (or select or create
an address object of type FQDN) to which the firewall forwards matching
packets. The FQDN can resolve to an IPv4 address or IPv6 address,
or both. If the FQDN resolves to both IPv4 and IPv6 addresses, then
the PBF rule has two next hops: one IPv4 address and one IPv6 address.
You can use the same PBF rule for both IPv4 and IPv6 traffic. IPv4
traffic is forwarded to the IPv4 next hop; IPv6 traffic is forwarded to
the IPv6 next hop.This FQDN must resolve to an IP address that belongs to the same subnet as the interface you configured for PBF; otherwise, the firewall rejects the resolution and the FQDN remains unresolved.The firewall uses only one IP address (from each IPv4 or IPv6 family type) from the DNS resolution of the FQDN. If the DNS resolution returns more than one address, the firewall uses the preferred IP address that matches the IP family type (IPv4 or IPv6) configured for the next hop. The preferred IP address is the first address the DNS server returns in its initial response. The firewall retains this address as preferred as long as the address appears in subsequent responses, regardless of its order.
- None—No next hop mean the destination IP address of the packet is used as the next hop. Forwarding fails if the destination IP address is not in the same subnet as the egress interface.
- (Optional) Enable monitoring to verify connectivity
to a target IP address or to the Next Hop IP
address if no IP address is specified. Select Monitor and
attach a monitoring Profile (default or custom)
that specifies the action when the monitored address is unreachable.
The Egress Interface can have both IPv4 and IPv6 addresses, and the Next Hop FQDN can resolve to both IPv4 and IPv6 addresses. In this case:
- You can select Disable this rule if nexthop/monitor ip is unreachable.
- Enter a target IP Address to monitor.
- If the egress interface has both IPv4 and IPv6 addresses and the next hop FQDN resolves to only one address family type, the firewall monitors the resolved IP address. If the FQDN resolves to both IPv4 and IPv6 addresses, but the egress interface has only one address family type address, the firewall monitors the resolved next hop address that matches the address family of the egress interface.
- If both the egress interface and next hop FQDN have both IPv4 and IPv6 addresses, the firewall monitors the IPv4 next hop address.
- If the egress interface has one address family address, and the next hop FQDN resolves to a different address family address, the firewall does not monitor anything.
- (Required for asymmetric routing environments;
otherwise, optional) Select Enforce Symmetric Return and Add one
or more IP addresses in the Next Hop Address List.
You can add up to 8 next-hop IP addresses; tunnel and PPoE interfaces
are not available as a next-hop IP address.Enabling symmetric return ensures that return traffic (say, from the Trust zone on the LAN to the internet) is forwarded out through the same interface through which traffic ingresses from the internet.
- Click Commit. The PBF rule is in effect.
Policy Based Forwarding Forwarding Tab
Policy Based Forwarding Forwarding Tab Select the Forwarding tab to define the action and network information that will be applied to traffic that matches the ...
Configure a Static Route
Configure a Static Route Perform the following task to configure Static Routes or a default route for a virtual router on the firewall. Configure a ...
Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast After you Configure BGP , configure a BGP peer with MP-BGP for IPv4 or ...
Use Case: PBF for Outbound Access with Dual ISPs
Use Case: PBF for Outbound Access with Dual ISPs In this use case, the branch office has a dual ISP configuration and implements PBF for ...
BGP Peer Group Tab
BGP Peer Group Tab Network > Virtual Router > BGP > Peer Group A BGP peer group is a collection of BGP peers that share ...
Configure a BGP Peer with MP-BGP for IPv4 Multicast
Configure a BGP Peer with MP-BGP for IPv4 Multicast After you Configure BGP , configure a BGP peer with MP-BGP for IPv4 multicast if you ...
FQDN Support for Static Route Next Hop, PBF Next Hop, and BGP Peer
You can use an FQDN in a static route next hop, a policy-based forwarding (PBF) next hop, or a BGP peer address. ...
Routing Tab The following table describes the virtual router’s runtime stats for the Route Table , Forwarding Table , and the Static Route Monitoring table. ...
Policies > Policy Based Forwarding
Policies > Policy Based Forwarding Normally, when traffic enters the firewall, the ingress interface virtual router dictates the route that determines the outgoing interface and ...