Configure Policy-Based Routing

To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. In some cases, you want to send traffic to a different path than the default route specified in the routing table. You can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. This technique is known as policy-based routing. Policy-based routing takes precedence over other multi-WAN settings.

Policy-based routing can be used when you have more than one external interface and have configured your XTM device for multi-WAN. With policy-based routing, you can make sure that all traffic for a policy always goes out through the same external interface, even if your multi-WAN configuration is set to send traffic in a round-robin configuration. For example, if you want email to be routed through a particular interface, you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.

To use policy-based routing, you must have Fireware XTM with a Pro upgrade. You must also configure at least two external interfaces.

Policy-Based Routing, Failover, and Failback

When you use policy-based routing with multi-WAN failover, you can specify whether traffic that matches the policy uses another external interface when failover occurs. The default setting is to drop traffic until the interface is available again.

Failback settings (defined on the Multi-WAN tab of the Network Configuration dialog box) also apply to policy-based routing. If a failover event occurs, and the original interface later becomes available, the XTM device can send active connections to the failover interface, or it can fail back to the original interface. New connections are sent to the original interface.

Restrictions on Policy-Based Routing

• Policy-based routing is available only if multi-WAN is enabled. If you enable multi-WAN, the Edit Policy Properties dialog box automatically includes fields to configure policy-based routing.
• By default, policy-based routing is not enabled.
• Policy-based routing does not apply to IPSec traffic, or to traffic destined for the trusted or optional network (incoming traffic).

Add Policy-Based Routing to a Policy

1. Select Firewall > Firewall Policies.
2. Select a policy and click .
   Or, double-click a policy.
   The Policy Configuration page appears.
3. Select the Use policy-based routing check box.

4. To specify the interface to send outbound traffic that matches the policy, select the interface name from the adjacent drop-down list. Make sure that the interface you select is a member of the alias or network that you set in the To list for your policy.
   
5. (Optional) Configure policy-based routing with multi-WAN failover as described below. If you do not select Failover and the interface you set for this policy is becomes inactive, traffic is dropped until the interface becomes available again.
6. Click Save.

Configure Policy-Based Routing with Failover

You can set the interface you specified for this policy as the primary interface, and define other external interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is not active, traffic is sent to the backup interface or interfaces you specify.

1. On the Policy Configuration page, select Use Failover.
2. In the adjacent list, select the check box for each interface you want to use in the failover configuration.
3. To set the order for failover, click Move Up and Move Down.
   The first interface in the list is the primary interface.
4. Click Save.

See Also

About Using Multiple External Interfaces

About Policy Properties

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Knowledge Base

© 2011 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Core, and Fireware are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.