Policy Based Routing
You can control traffic forwarding in great detail using policy based routing (PBR). When you use PBR, you create routing tables of static routes (Action Tables), and direct traffic to the appropriate tables using Policy Rules.
Policy Rules
The Policy Rules specify what traffic is matched. You can route traffic by matching on one or more of the following:
- Security Gateway interface.
- Source IPv4 address and subnet mask.
- Destination IPv4 address and subnet mask.
The Policy Rules also specify the action to take if the traffic is matched:
- Prohibit: Send a Prohibit message to the sending host.
- Unreachable: Send an Unreachable message to the sending host.
- Table: Do the actions defined in an Action Table
You can define many Policy Rules. Traffic is matched to all the rules, one rule at a time, according to the priority that is configured for the rule.
Action Tables
The Action Tables define the static routes, that is, where the traffic is sent. You define the destination of the route and the next hop gateway to that destination.
Static Route Priorities
PBR static routes have priority over static routes in the routing table. When a packet arrives at the Gaia Security Gateway, the packet is checked for a match to a PBR static route. If it matches, the packet is forwarded according to the priority of the PBR static route. If the packet does not match a PBR static route, the packet is forwarded according to the priority of the static routes in the routing table.
Configuring Policy Based Routing - WebUI
The workflow for configuring Policy Bade Routing (PBR) is
- In the Gaia WebUI, go to the page.
- Configure one or more Action Tables. The Action Tables define the static routes, that is, where the traffic is sent. You define the destination of the route and the next hop gateway to that destination.
- Configure Policy Rules. Define the traffic to match and the action to take if the traffic is matched. One of the possible Actions is to forward traffic to the static routes defined in an Action Table.
To Add an Action Table:
- In the section of the page, click .
- In the window, define the .
- Define the route to the destination. Choose one of:
- Select the . One of:
- Add one or more Gateways to a normal destination. Click . You can select:
- Define the Gateway .
- Define the Gateway .
- Click .
To Add a Policy Rule:
- In the section of the page, click .
- In the window, configure the of the rule.
- Configure the to take on the traffic that is matched. Choose one of:
- . Select the Action Table.
- Configure the traffic to match. Choose one or more of the following:
- IPv4 address and .
- IPv4 address and .
- Click .
To Delete a Policy Rule:
- In the section of the page, select a rule.
- Click .
To Delete an Action Table:
- In the section of the page, select a static route table.
- Click .
Action Table Parameters
Parameter
|
Description
|
|
The name of the table.
|
|
A numerical ID for the table. Assigned by the system.
|
|
The default static route in the system routing table.
|
|
The destination of the route.
|
|
Subnet mask for the destination of the route.
|
|
Choose one of:
- Normal: Accept and forward packets.
- Reject: Drop packets and send unreachable messages.
- Black Hole: Drop packets but don't send unreachable messages.
|
|
Next hop gateway IPv4 address.
|
|
Security Gateway interface that leads to the next hop gateway.
|
|
The preference of the particular route.
|
Policy Rule Parameters
Parameter
|
Description
|
Priority
|
You can define many Policy Rules. Traffic is matched to all the rules, one rule at a time, according to the priority that is configured for the rule.
|
Action
|
The action to take if the traffic is matched
|
|
Send a Prohibit message to the sending host.
|
|
Send an Unreachable message to the sending host.
|
|
Do the actions defined in an Action Table.
|
Match
|
|
|
Match by: Interface through which the packets enter the Security Gateway from the source host.
|
|
Match by: Source IPv4 address and subnet mask.
|
|
Match by: Destination IPv4 address and subnet mask.
|
Configuring Policy Based Routing - CLI
Create routing tables of static routes (Action Tables) and direct traffic to the appropriate tables by using Policy Rules.
To configure Action Tables:
Description
|
The Action Tables define the static routes, that is, where the traffic is sent. You define the destination of the route and the next hop gateway to that destination.
|
Syntax
|
set pbr table VALUE static-route VALUE
nexthop blackhole
nexthop reject
nexthop gateway address VALUE <on | off>
nexthop gateway logical VALUE <on | off>
<on | off>
|
Parameters
|
Parameter
|
Description
|
table VALUE
|
The name of the table.
|
static-route VALUE
|
Choose one of:
- The default static route in the system routing table. VALUE is
default . - The destination of the route. VALUE is IPv4 address /mask length. For example 192.0.2.0/24
|
nexthop blackhole
|
Drop packets but don't send unreachable messages.
|
nexthop reject
|
Drop packets and send unreachable messages.
|
gateway address VALUE
|
Accept and forward packets to the Next hop gateway IPv4 address.
|
gateway logical VALUE
|
Accept and forward packets to the Security Gateway interface that leads to the next hop gateway.
|
<on | off>
|
Enable or disable the Action Table.
|
|
|
Example
|
set pbr table PBRtable2 static-route 192.0.2.0/24 nexthop gateway logical eth0 on
|
To configure Policy Rules
Description
|
Define the traffic to match and the action to take if the traffic is matched. One of the possible Actions is to forward traffic to the static routes defined in an Action Table.
|
Syntax
|
set pbr rule priority VALUE
action prohibit
action unreachable
action table VALUE
match from VALUE to VALUE interface VALUE <on | off>
|
Parameters
|
Parameter
|
Description
|
priority VALUE
|
You can define many Policy Rules. Traffic is matched to all the rules, one rule at a time, according to the priority that is configured for the rule. VALUE is a number. The highest priority is 1.
|
action prohibit
|
Send a Prohibit message to the sending host.
|
action unreachable
|
Send an Unreachable message to the sending host.
|
action table VALUE
|
Do the actions defined in an Action Table. You must specify one or more match parameters.
|
from VALUE
|
Match by: Source IPv4 address and subnet mask.
|
to VALUE
|
Match by: Destination IPv4 address and subnet mask.
|
interface VALUE
|
Match by: Interface through which the packets enter the Security Gateway from the source host.
|
<on | off>
|
Enable or disable the Policy Rule.
|
|
|
Example
|
corp_fw> set pbr rule priority 3 match interface eth2
corp_fw> set pbr rule priority 3 action table PBRtable2
|
Monitoring Policy Based Routing
To monitor Policy Based Routing - WebUI
- In the Gaia WebUI, go to the page.
- Click the tab.
To monitor Policy Based Routing - CLI
Run these commands:
show pbr tables
show pbr rules
show pbr summary
|
|