Configuring Policy-based Routing

Configuring Policy-based Route

Policy Based Route (PBR) is designed to select a router and forward data based on the source IP address, destination IP address and service type of a packet.

Creating a Policy-based Route and PBR Rule

To create a policy-based route and PBR rule, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
On the Policy-based Route tab, click New.
Select Policy-based Route from the drop-down list.

On the Basic tab in the Policy-based Route Configuration dialog, configure basic options for the route.

Option	Description
PBR name	Specifies a name for the policy-based route.
Set next hop	Specifies a next hop for the PBR rule. Select the Set next hop check box, and then specify the type of the next hop in the box below, including: IP address: Type the IP address into the box, and the type of next hop will be an IP address. Interface: Select an interface from the drop-down list, and the type of next hop will be an interface.
Description	Type information about the PBR rule.
Bind to	Binds the policy-base rule to an interface or zone. Select an interface or zone from the drop-down list.

On the Source tab, configure source address options for the PBR rule. The source address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.

Option	Description
Type	IP address: To specify a source address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively.
	Host name: To specify a source address type of "host name", click this option button and type the host name into the Host name box.
	IP range: To specify a source address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively.
	Address entry: To specify a source address type of "address entry", click this option button and select an address entry from the Address entry drop-down list.
Add	Click Add add the source address entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

On the Role/User/User group tab, configure source user options for the PBR rule. The source user for the PBR rule can be an arbitrary combination between role, user and user group.

Option	Description
User type	Role: To specify a source user type of "Role", click this option button and select a role from the Role drop-down list.
	User: To specify a source user type of "User", click this option button and select an AAA server and username from the AAA server and Username drop-down list respectively.
	User group: To specify a source user type of "User group", click this option button and select an AAA server and user group name from the AAA server and User group name drop-down list respectively.
Add	Click Add to add the source user entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

On the Destination tab, configure destination address options for the PBR rule. The destination address for the PBR rule can be an arbitrary combination between address entry, IP address, host name and IP range.

Option	Description
Type	IP address: To specify a destination address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively.
	Host name: To specify a destination address type of "host name", click this option button and type the host name into the Host name box.
	IP range: To specify a destination address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively.
	Address entry: To specify a destination address type of "address entry", click this option button and select an address entry from the Address entry drop-down list.
Add	Click Add to add the destination address entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

On the Service tab, configure service type for the PBR rule. The service type for the PBR rule can be an arbitrary combination between pre-defined service, user-defined service and service group. To add a service, select a service or service group in the Available list, and click to add to the Selected list. To delete a service or service group, select the service or service group in the Selected list, and click .
Click OK to save your settings.

Adding a PBR Rule

To add a rule for an existing policy-based route, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
On the Policy-based Route tab, click New.
Select PBR Rule from the drop-down list.

On the Basic tab in the Rule Configuration dialog, configure basic options for the route.

Option	Description
PBR name	Select an existing policy-based route from the drop-down list.
Set next hop	Specifies a next hop for the PBR rule. Select the Set next hop check box, and then specify the type of the next hop in the box below, including: IP: Type the IP address into the box, and the type of next hop will be an IP address. Interface: Select an interface from the drop-down list, and the type of next hop will be an interface.
Description	Type information about the PBR rule.

Option

Description

PBR name

Select an existing policy-based route from the drop-down list.

Set next hop

Specifies a next hop for the PBR rule. Select the Set next hop check box, and then specify the type of the next hop in the box below, including:

IP: Type the IP address into the box, and the type of next hop will be an IP address.
Interface: Select an interface from the drop-down list, and the type of next hop will be an interface.

Description

Type information about the PBR rule.

Option	Description
PBR name	Specifies a name for the policy-based route.
Set next hop	Specifies a next hop for the PBR rule. Select the Set next hop check box, and then specify the type of the next hop in the box below, including: IP address: Type the IP address into the box, and the type of next hop will be an IP address. Interface: Select an interface from the drop-down list, and the type of next hop will be an interface.
Description	Type information about the PBR rule.
Bind to	Binds the policy-base rule to an interface or zone. Select an interface or zone from the drop-down list.

Option	Description
Type	IP address: To specify a source address type of "IP address", click this option button and type the IP address and netmask into the IP and Netmask box respectively.
	Host name: To specify a source address type of "host name", click this option button and type the host name into the Host name box.
	IP range: To specify a source address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively.
	Address entry: To specify a source address type of "address entry", click this option button and select an address entry from the Address entry drop-down list.
Add	Click Add to add the source address entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

On the Role/User/User group tab, configure source user options for the PBR rule. The source user for the PBR rule can be an arbitrary combination between role, user and user group.

Option	Description
User type	Role: To specify a source user type of "Role", click this option button and select a role from the Role drop-down list.
	User: To specify a source user type of "User", click this option button and select an AAA server and username from the AAA server and Username drop-down list respectively.
	User group: To specify a source user type of "User group", click this option button and select an AAA server and user group name from the AAA server and User group name drop-down list respectively.
Add	Click Add to add the source user entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

Option	Description
Type	IP address: To specify a destination address type of "IP address", click this option button and type the IP address and netmask into the IP address and Netmask box respectively.
	Host name: To specify a destination address type of "host name", click this option button and type the host name in the Host name box.
	IP range: To specify a destination address type of "IP range", click this option button and type the start IP and end IP into the Start IP and End IP box respectively.
	Address entry: To specify a destination address type of "address entry", click this option button and select an address entry from the Address entry drop-down list.
Add	Click Add to add the destination address entry to the system. All the entries that have been added will be displayed in the list below.
Delete	Select the entry you want to delete from the list, and click Delete.

On the Service tab, configure service type for the PBR rule. The service type for the PBR rule can be an arbitrary combination between pre-defined service, user-defined service and service group. To add a service, select a service or service group from the Available list, and click to add to the Selected list. To delete a selected service or service group, select the service or service group from the Selected list, and click .
Click OK to save your changes.

Editing/Deleting/Moving a PBR Rule

To edit/delete/move a policy-based route, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.

On the Policy-based Route tab, select the rule you want to edit/delete/move from the list below, and click Edit, Delete PBR rule or Move to edit/delete/move the rule.

Option	Description
Top	Click this option button to move the PBR rule to the top.
Bottom	Click this option button to move the PBR rule to the bottom.
Before ID	Click this option button and type the ID into the box behind to move the PBR rule to the position before the ID.
After ID	Click this option button and type the ID into the box behind to move the PBR rule to the position after the ID.

Note: Each PBR rule is labeled with a unique ID. When traffic flows into the security appliance, the device will query for PBR rules by turn, and processes the traffic according to the first matched rule. However, the PBR rule ID is not related to the matching sequence during the query. You can move a PBR rule's location up or down at your own choice to adjust the matching sequence accordingly.

Enabling/Disabling a PBR Rule

By default the configured PBR rules will take effect immediately. You can disable a rule to end its control over traffic.

To enable or disable a PBR rule, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
On the Policy-based Route tab, select the rule you want to enable/disable from the list below, and click Enable/Disable to enable/disable the rule.

Deleting a Policy-based Route

To delete a policy-based route, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
On the Policy-based Route tab, click Delete PBR.
In the Policy-based Route Deleting dialog, select a name from the PBR name drop-down list, and click OK to delete it. All the related PBR rules will be deleted as well.

Applying a Policy-based Route

You can apply a policy-based route by binding it to an interface or zone. To apply a policy-based route, take the following steps:

On the Navigation pane, click Configure > Network > Routing to visit the Routing page.
On the Policy-based Route tab, click Bind to.
In the Policy-base Route Binding dialog, select a route from the PBR name drop-down list, and select an interface or zone from the Bind to drop-down list.
Click OK to save your changes.