What more can my firewall do? Policy Based Forwarding!

Due to increasing bandwith demands in the workplace owing to web browsing, social media, and other bandwidth-consuming applications, many companies add a secondary ISP connection. The secondary ISP may provide more bandwidth but decreased service level. The lower service level ensures offloading less important web traffic in favor of guaranteeing bandwidth for mission-critical applications.

You may have already checked out Quality of Service and limited or guaranteed bandwidth based on application, but there's another cool trick the firewall can do—policy based forwarding or PBF. Policy based forwarding allows you to bypass the routing table in favor of routing options dictated by a policy configurable based on applications, source or destination. In short, this means you can choose to have certain applications use a different link without needing to tweak the routing table.

Let's start by taking a closer look at how the example firewall is configured while you take note of your configuration:

ISP1 is the primary link used for critical applications

ISP2 is a backup connection with high bandwidth but no service-level guarantees

The default gateway of my Virtual Router is configured to point to ISP1.

Optional: As backup, I have added ISP2 with a higher metric. This will make ISP2 the backup link in case ISP1 were to experience an outage.

Start by opening the Policy Based Forwarding policies and creating a new policy:

• Give the policy a friendly name
• Set the source Zone or Interface
• Set the destination Application to web-browsing and another application you wish to reroute over ISP2 (ftp,...)
• Best practice would be to set the service to application-default

In the forwarding tab:

• Set the Action to Forward (other options are 'Discard' to discard any session matching the PBF policy or 'NO PBF' to not apply PBF to a certain session)
• Set the Egress Interface to the ISP2 connected interface
• Set Next Hop as ISP2's router IP address so packets are properly routed to this device
• Enable Monitor
• Create a monitor profile that is set for Fail Over
• Activate the 'Disable this rule' checkbox to allow this policy to be disabled in case ISP2 experiences an outage, this will reroute the sessions back via the default gateway
• Set ISP2's router IP as a monitoring target

You have now succesfully configured a Policy Based Forwarding policy! The only thing left to do is to create security policies to allow sessions to be created from the trust zone to the ISP2 zone, and if needed, perform NAT on these sessions:

After this configuration has been committed, there are several usefull CLI commands at your disposal to verify if the PBF rule is functional and if it is being used:

> show pbf rule all

Rule       ID    Rule State Action   Egress IF/VSYS  NextHop                                 NextHop Status
========== ===== ========== ======== =============== ======================================= ==============
ISP2_webac 1     Active     Forward  ethernet1/2     172.16.31.1                             UP          
  

> show running pbf-policy

ISP2_webaccess {
        id 1;
        from trust;
        source any;
        destination any;
        user any;
        application/service [ ftp/tcp/any/21 web-browsing/tcp/any/80 ];
        action Forward;
        symmetric-return no;
        forwarding-egress-IF/VSYS ethernet1/2;
        next-hop 172.16.31.1;
        terminal no;
}

> test pbf-policy-match from trust application web-browsing source 192.168.0.7 destination 93.184.216.34 protocol 6 destination-port 80

ISP2_webaccess {
        id 1;
        from trust;
        source any;
        destination any;
        user any;
        application/service [ ftp/tcp/any/21 web-browsing/tcp/any/80 ];
        action Forward;
        symmetric-return no;
        forwarding-egress-IF/VSYS ethernet1/2;
        next-hop 172.16.31.1;
        terminal no;
}

> show session all filter pbf-rule ISP2_webaccess

--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
9873         web-browsing   ACTIVE  FLOW  NS   192.168.0.7[4015]/trust/6  (172.16.31.2[7914])
vsys1                                          93.184.216.34[80]/ISP2  (93.184.216.34[80])


> show session id 9873

Session            9873

        c2s flow:
                source:      192.168.0.7 [trust]
                dst:         93.184.216.34
                proto:       6
                sport:       4015            dport:      80
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown
                pbf rule:    ISP2_webaccess 1

        s2c flow:
                source:      93.184.216.34 [ISP2]
                dst:         172.16.31.2
                proto:       6
                sport:       80              dport:      7914
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    unknown

I hope you found this article useful. Please feel free to check out the rest of the Getting Started episodes or leave a comment below!

Regards,

Tom