Normally, when traffic enters the firewall, the ingress
interface virtual router dictates the route that determines the
outgoing interface and destination security zone based on destination
IP address. By
creating a policy-based forwarding (PBF) rule

, you can specify
other information to determine the outgoing interface, including
source zone, source address, source user, destination address, destination
application, and destination service. The initial session on a given
destination IP address and port that is associated with an application
will not match an application-specific rule and will be forwarded
according to subsequent PBF rules (that do not specify an application)
or the virtual router’s forwarding table. All subsequent sessions on
that destination IP address and port for the same application will
match an application-specific rule. To ensure forwarding through
PBF rules, application-specific rules are not recommended.