How do I configure policy-based routing in Fireware v12.2.1 or lower?
In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. For information about SD-WAN, see About SD-WAN in Fireware Help.
Configure Policy-Based Routing
To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. In some cases, you want to send traffic to a different path than the default route specified in the routing table. You can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. This technique is known as policy-based routing. Policy-based routing takes precedence over other multi-WAN and virtual BOVPN interface settings.
Policy-based routing can be used when you have more than one external interface and have configured your Firebox for multi-WAN or if you configure a virtual BOVPN interface. With policy-based routing, you can make sure that all traffic for a policy always goes out through the same external interface, even if your multi-WAN or virtual BOVPN interface configuration is set to send traffic in a round-robin configuration. For example, if you want email to be routed through a particular interface, you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.
Policy-Based Routing, Failover, and Failback
To configure policy-based routing, you select the Use policy-based routing option in an existing policy and select an external interface. Any non-IPSec traffic that matches the policy is sent through the interface you specify.
If the interface becomes unavailable, the policy drops the traffic until the interface is available again. To help ensure that traffic continues to flow if the interface becomes unavailable, you can specify an external interface for failover in the policy settings. When the primary interface is available again, new connections fail back to the primary interface. Active connections do not fail back and remain on the failover interface.
The failback settings in the multi-WAN configuration on your Firebox do not apply to policy-based routing.
Restrictions on Policy-Based Routing
Add Policy-Based Routing to a Policy
To add policy-based routing to a policy, from Fireware Web UI:
To add policy-based routing to a policy, from Policy Manager:
Configure Policy-Based Routing with Failover
You can set the interface you specified for this policy as the primary interface, and define other external interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is not active, traffic is sent to the backup interface or interfaces you specify.
To configure policy-based routing with failover, from Policy Manager:
Conversion to SD-WAN in Fireware v12.3 or Higher
When you upgrade to Fireware v12.3, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, see the WatchGuard Knowledge Base.
Before You Upgrade to Fireware v12.4 or Higher
It is important to understand that policy-based routing applies to new connections that initiate traffic. Policy-based routing does not apply to reply traffic. You cannot use policy-based routing to force reply traffic out of a specific interface.
SD-WAN enhancements introduced in Fireware v12.4 require the Firebox to no longer ignore unnecessary policy-based routing in a policy with SNAT or 1-to-1 NAT. When you upgrade to Fireware v12.4 or higher, the Firebox automatically removes policy-based routing from some inbound NAT policies. Before you upgrade to Fireware v12.4 or higher, see Inbound NAT policies that include SD-WAN actions or policy-based routing.