Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Policy-Based Routing Overview


Policy-based routing (PBR) provides a flexible mechanism for forwarding data packets based on polices configured by a network administrator. PBR enables you to implement policies that selectively cause packets to take different paths. PBR provides a routing mechanism for networks that rely on Application Layer support, such as antivirus (AV), deep inspection (DI), or antispam, Web filtering, and/or that require an automatic way to specific applications.

When a packet enters the security device, ScreenOS checks for PBR as the first part of the route-lookup process, and the PBR check is transparent to all non-PBR traffic. PBR is enabled at the interface level and configured within a virtual router context; but you can choose to bind PBR policies to an interface, a zone, a virtual router (VR), or a combination of interface, zone, or VRs.

You use the following three building blocks to create a PBR policy:

  • Extended access lists—Extended access-lists list the match criteria you define for PBR policies.

  • Match groups—Match groups provide a way to organize (by group, name and priority) extended access lists.

  • Action groups—Action groups specify the route that you want a packet to take. You specify the“ action” for the route by defining the next interface, the next-hop, or both.


    For details on configuring policy-based routing and route lookup, see the Concepts & Examples ScreenOS Reference Guide.