Configuring PBR Policies

To configure a policy for PBR Policy-based Routing. PBR provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. on Branch Gateways, complete the following steps:

To configure a gateway group or a gateway device, complete either one of these steps:

To select a gateway group:
1. In the Classic Central app, set the filter to a group that contains at least one Branch Gateway.
  
  The dashboard context for a group is displayed.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click Config.
  
  The configuration page is displayed for the selected group.
To select a gateway:
1. In the Classic Central app, set the filter to Global or a group that contains at least one Branch Gateway.
2. Under Manage, click Devices > Gateways.
  
  A list of gateways is displayed in the List view.
3. Click a gateway under Device Name.
  
  The dashboard context for the gateway is displayed.
4. Under Manage, click Device.
  
  The gateway device configuration page is displayed.

If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
Click Routing > Policy-Based Routing.
Click + below the Policies table to create a new routing policy.
Enter name for the policy and save the changes.
Select the policy from the Policies table.

The Policy > <policy name> Rules table is displayed.

Click + to add a rule to restrict packet flow or permit access to network or services, configure the following parameters:

Table 1: Routing Rule Parameters
Parameters	Description
Source	Source of the traffic, which can be one of the following: Alias—Refers to using an alias for a host or network. When this option is selected, specify the source alias in Source alias field. For more information on setting up a network alias, refer Configuring Policies and Access Control. Any—Acts as a wildcard and applies to any source address. Host—Refers to the traffic from a specific host. When this option is selected, specify the IP address of the host in IP (version v4). Network—Refers to the traffic that has a source IP from a subnet Subnet is the logical division of an IP network. of IP addresses. When this option is selected, specify the IP address in IP (version v4) field and network mask in Netmask (version 4) of the subnet. User—Refers to the traffic from the wireless client.
Destination	Destination of the traffic, which can be one of the following: Alias—Refers to using an alias for a host or network. When this option is selected, specify the destination alias in Destination alias field. For more information on setting up a network alias, refer Configuring Policies and Access Control. Any—Acts as a wildcard and applies to any destination address. Host—Refers to the traffic from a specific host. When this option is selected, specify the IP address of the host in IP (version v4). Network—Refers to the traffic that has a destination IP from a subnet of IP addresses. When this option is selected, specify the IP address in IP (version v4) field and network mask in Netmask (version 4) of the subnet. User—Refers to the traffic from the wireless client.
Service/App	Type of traffic, which can be one of the following: Any—This option specifies that this rule applies to any type of traffic. App Category—This option specifies the category of the application. App Category—This option specifies the category of the application. Select an application category from the drop-down list. Application—This option specifies the application name. Application —This option specifies the application. Select an application from the drop-down list. Protocol—This option specifies the routing protocol. Protocol—Enter the protocol name. Service—Using this option, use one of the pre-defined services (common protocols such as HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection., HTTP Hypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. and other services) as the protocol to match for the rule to be applied. Services Alias—This option specifies the service alias. Select a service alias from the drop-down list. TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. —Using this option, you configure a range of TCP ports to match for the rule to be applied. The supported range is from 1 to 65535. Start Port—Specify the start port of TCP. End Port—Specify the end port of TCP. UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received.—Using this option, you configure a range of UDP ports to match for the rule to be applied. The supported range is from 1 to 65535. Start Port—Specify the start port of UDP. End Port—Specify the end port of UDP. Web Category—This option specifies the name of the web content category. Web Category—This option specifies the category of the web application. Select a web application category from the drop-down list. Web Reputation—This option specify the name of the predefined web content reputation level. Web Reputation—This option specifies the web reputation of the web application. Select a category of web reputations from the drop-down list.
Action	The action that you want the Microbranch to perform on a packet that matches the specified criteria. Forward Regularly—Using this option, forward the traffic to regular tunnels. Forward to Cluster—Using this option, forward the traffic to gateway clusters. Forward to IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. Map— Using this option, forward the traffic to IPSec Map. Select the applicable IPSec map in the IPSec map name drop-down list. Forward to IPsec Map to VPNC— Using this option, forward the traffic to IPSec Map to VPNC. Select the applicable cluster, VPNC, uplink in the Cluster, VPNC, Uplink tag drop-down lists. NOTE: The VPNC drop-down will not list the configured VPNCs if you have configured Clustered hub groups as the preferred data center (VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. > SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Overlay > DC Preference). To view the list of configured VPNCs, you must enable the Orchestrated mode and configure Hubs as the preferred data center. For more information, see Setting Data Center Preference. Forward to Nexthop List—Using this option, forward the traffic to next-hop list. Select the name of the next-hop-list in Name of next-hop-list drop-down list. Forward to tunnel— Using this option, forward the traffic to a tunnel. Forward to tunnel-group—Using this option, forward the traffic to a tunnel group.
Position	The position of the rule in the Policy <policy name> table, where 1 is first and default is last.

Click Save Settings.

The following animation shows you how to configure a policy for PBR.