WatchGuard Support Center

Knowledge Base - Article

000013128
 Configure policy-based routing in Fireware v12.2.1 or lower

Information
How do I configure policy-based routing in Fireware v12.2.1 or lower?

In Fireware v12.3 or higher, SD-WAN replaces policy-based routing. For information about SD-WAN, see About SD-WAN in Fireware Help.

In Fireware v12.2.1 or lower, to route traffic to a different external interface, you must use policy-based routing. This topic explains how to configure policy-based routing in Fireware v12.2.1 or lower.

Configure Policy-Based Routing

To send network traffic, a router usually examines the destination address in the packet and looks at the routing table to find the next-hop destination. In some cases, you want to send traffic to a different path than the default route specified in the routing table. You can configure a policy with a specific external interface to use for all outbound traffic that matches that policy. This technique is known as policy-based routing. Policy-based routing takes precedence over other multi-WAN and virtual BOVPN interface settings.

Policy-based routing can be used when you have more than one external interface and have configured your Firebox for multi-WAN or if you configure a virtual BOVPN interface. With policy-based routing, you can make sure that all traffic for a policy always goes out through the same external interface, even if your multi-WAN or virtual BOVPN interface configuration is set to send traffic in a round-robin configuration. For example, if you want email to be routed through a particular interface, you can use policy-based routing in the SMTP-proxy or POP3-proxy definition.

Policy-Based Routing, Failover, and Failback

To configure policy-based routing, you select the Use policy-based routing option in an existing policy and select an external interface. Any non-IPSec traffic that matches the policy is sent through the interface you specify.

If the interface becomes unavailable, the policy drops the traffic until the interface is available again. To help ensure that traffic continues to flow if the interface becomes unavailable, you can specify an external interface for failover in the policy settings. When the primary interface is available again, new connections fail back to the primary interface. Active connections do not fail back and remain on the failover interface.

The failback settings in the multi-WAN configuration on your Firebox do not apply to policy-based routing.

Restrictions on Policy-Based Routing

  • Policy-based routing is available only if multi-WAN is enabled or if you have configured a virtual BOVPN interface. When either of these features are enabled, the policy configuration automatically includes the settings to configure policy-based routing.
  • By default, policy-based routing is not enabled.
  • Policy-based routing does not apply to IPSec traffic, but does apply to traffic destined for the trusted or optional network (incoming traffic).
  • Policy-based routing can only use an external interface. You cannot specify an interface that is configured for static NAT or 1-to-1 NAT, or any interface type other than external.
  • The external interface you select must be a member of the alias or network that you set in the To list for your policy.
Make sure that the To list of the policy includes all external interfaces. If the  multi-WAN configuration selects an external interface that is not a member of the alias or network in the To list of the policy, the policy does not apply to the connection and policy-based routing does not function.

Add Policy-Based Routing to a Policy

To add policy-based routing to a policy, from Fireware Web UI:

  1. Select Firewall > Firewall Policies.
  2. Select the check box for a policy and select Action > Edit Policy.
    Or, double-click a policy.
    The Edit page appears.
  3. Select the Use policy-based routing check box.
    Screen shot of a policy with policy-based routing enabled
  4. To specify the interface to use to send outbound traffic that matches the policy, from the adjacent drop-down list, select an external interface name.
  5. (Optional) Configure policy-based routing with multi-WAN failover, as described in the next section.
    If you do not select Failover and the interface you set for this policy becomes inactive, traffic is dropped until the interface becomes available again. The Failover option is not available if you select a BOVPN virtual interface for policy-based routing.
  6. Click Save.

To add policy-based routing to a policy, from Policy Manager:

  1. Open Policy Manager.
  2. Select a policy and click.
    Or, double-click a policy.
    The Edit Policy Properties dialog box appears.
  3. Select the Use policy-based routing check box.
    Screen shot of a policy with policy-based routing enabled
  4. To specify the interface to use to send outbound traffic that matches the policy, from the adjacent drop-down list, select an external interface name.
  5. (Optional) Configure policy-based routing with multi-WAN failover, as described in the next section.
    If you do not select Failover and the interface you set for this policy is becomes inactive, traffic is dropped until the interface becomes available again. The Failover option is not available if you select a virtual BOVPN interface for policy-based routing.
  6. Click OK.

Configure Policy-Based Routing with Failover

You can set the interface you specified for this policy as the primary interface, and define other external interfaces as backup interfaces for all non-IPSec traffic. If the primary interface you set for a policy is not active, traffic is sent to the backup interface or interfaces you specify.
To configure policy-based routing with failover, from Fireware Web UI:

  1. On the Edit page for the policy, below the Use policy-based routing check box, select the Use Failover check box.
  2. From the list, select the check box for each interface  to use in the failover configuration.
  3. To set the order for failover, select an item in the list and click Move Up or Move Down.
    The first interface in the list is the primary interface.
  4. Click Save.

To configure policy-based routing with failover, from Policy Manager:

  1. In the Edit Policy Properties dialog box, select Failover.
  2. To add backup interfaces for this policy, click Configure.
    The Policy Failover Configuration dialog box appears.
    Screen shot of the policy failover configuration
  3. In the Include column, select the check box for each interface to use in the failover configuration.
  4. To set the order for failover, click Move Up or Move Down.
    The first interface in the list is the primary interface.
  5. Click OK to close the Policy Failover Configuration dialog box.
  6. Click OK to close the Edit Policy Properties dialog box.
  7. Save the Configuration File.

Conversion to SD-WAN in Fireware v12.3 or Higher

When you upgrade to Fireware v12.3, policy-based routing without failover is converted to an SD-WAN action with a single interface. Policy-based routing with failover is converted to an SD-WAN action with multiple interfaces. In Policy Manager, the policy-based routing setting is still available for backwards compatibility with older Fireware OS versions. For more information about policy-based routing, see the WatchGuard Knowledge Base.

Before You Upgrade to Fireware v12.4 or Higher

It is important to understand that policy-based routing applies to new connections that initiate traffic. Policy-based routing does not apply to reply traffic. You cannot use policy-based routing to force reply traffic out of a specific interface.

SD-WAN enhancements introduced in Fireware v12.4 require the Firebox to no longer ignore unnecessary policy-based routing in a policy with SNAT or 1-to-1 NAT. When you upgrade to Fireware v12.4 or higher, the Firebox automatically removes policy-based routing from some inbound NAT policies. Before you upgrade to Fireware v12.4 or higher, see Inbound NAT policies that include SD-WAN actions or policy-based routing.

See Also

About Multi-WAN in Fireware Help
About Policy Properties in Fireware Help
About SD-WAN in Fireware Help