Document toolboxDocument toolbox

Specifying Routing Rules for a Routing Policy

Owned by Alex Mandel
Jul 19, 2023
5 min read

Routing options primarily comprise gateway rules and port-forwarding rules. When configuring security rules for your service edges, consider NAT rules, port-forwarding rules, and routing rules; this will ensure that the rules complement each other and will help prevent conflicts among them.

To create a routing rule, do the following:

  1. Go to the Routing Rules tab > Add Rule drop-down and choose one of the following:

    • Copy Rule: Copy an existing rule to add it to the respective policy.

      1. Click Add. 

      2. Select or search for the policy that contains the specific rule.

      3. Select the rule and click Add.

      4. If necessary, repeat these steps to add more rules to the policy. Otherwise, click Save.

    • New Rule: Choose this option to create a brand new rule. Specify the following:

      • Rule Name: Enter a name for the rule. Create a name that does not exceed 64 characters in length. Use numbers, any special characters, uppercase and lowercase letters, and even spaces. Start and end a name with any character but not a space. Leading and trailing spaces will be trimmed off automatically. 

      • Egress: From the drop-down menu, select the interface from which the outgoing traffic originates. 

        • Network Interface: Define the interface from which the outgoing traffic will originate. Choose one of the following from the drop-down list:  

          • Network Interface: Type LAN or WAN in the first box. If you type LAN, the outgoing traffic will originate from your private LAN. If you type WAN, the outgoing traffic will originate from the WAN.

          • Next Hop: Enter a valid IP address for the next closest router to which data packets will be routed. 

        • Tunnel Interface: A tunnel interface defines the device that is set up for tunnels in the routing VPN.
          From the Select List drop-down, choose an already created edge that is part of the VPN topology.

        • Third Party Tunnel: 
          To avoid unexpected behavior, do not create rules that are conflicting or have the same priorities. For example, if you create a rule that routes facebook.com traffic to egress interface-tunnel1, assign the rule a priority of 10, create a rule to route facebook.com traffic to egress interface-tunnel2, and assign it a priority of 10, the system will process the rules in an undefined manner.

      • Sources: Choose one of the following:

        • Network: Choose this to add a specific network object or network object group that you have already configured.

          1. Click Add, and choose one of the following from the drop-down list TYPE:

            • ANY: No IP address is specified, so any address or device can be the source.

            • IP: Specify the source by entering a specific IP address in the VALUE field.

            • Address Object Groups: From the VALUE list, select the address object that you have already configured.

          2. Click Next.

        • User Groups: Choose this to add user groups that you have already configured. When you add a user group, all users in the group are subject to the configuration you make to this routing rule.
          In the AVAILABLE column, select the identity object group you want to add, and then use to move the group to the SELECTED column. To move all identity object groups, use . To remove a selected identity object group, click next to it in the SELECTED column. To remove all selected identity object groups, click .

        • Tags: Choose this to add tags that you have already configured for BloxOne DDI IPAM resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags or as a direct resource object. For more information, see Managing Tags and About BloxOne DDI.
          Click Add, and specify the following:

          • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.

          • VALUE: From the drop-down menu, choose the value that corresponds to the selected tag. All available values are displayed in the menu.
            To add more tags to the rule, click Add again.

      • Destinations: Choose one of the following:

        • Network: Choose this to add a network or network object that you have already configured. Click Add, and specify the following: 

          • TYPE: Choose one of the following from the drop-down list:

            • ANY: No IP address is specified, so any address or device can be a destination.

            • IP: To specify the destination, enter an IP address in the VALUE field.

            • Address Object Groups: From the VALUE list, select the address object that you have already configured. Alternatively, click Search and enter a value to search for a specific address object.

            • FQDN: Select this destination type to configure an FQDN for your firewall rule. For example, select it to allow a particular user group to access www.facebook.com.

            • Wildcard FQDN: Select this destination type to configure a Wildcard FQDN for your firewall rule. For example, select it to allow a particular user group to access *.yahoo.com.

        • Websites & Apps: 
          Applications: Choose this to add an application or applications to the routing rule. All available applications are grouped in categories within the AVAILABLE section. Use or to move a specific application or category of applications to the SELECTED section. The configuration of your routing rule applies to all selected applications.

      • Tags: Choose this to add tags that you have already configured for BloxOne DDI IPAM resources. Supported resources are IP Space, Address Block, Subnet, Range, Fixed Address, and IPv4 Reservation. You can then reference these resources in the rule, in the form of tags, or as a direct resource object. For more information, see Managing Tags and About BloxOne DDI.
        Click Add and specify the following:

        • KEY: From the drop-down menu, choose the configured tag you want to add. All available tags are displayed in the menu.

        • VALUE: From the drop-down menu, choose the value that corresponds to the selected tag. All available values are displayed in the menu.
          To add more tags to the rule, click Add again.

    • Services: Specify the following: 

      • Service Groups: Choose this and specify the following:

        • Select the service group you want to add, and use to move it to the Selected group. To add all service groups, use .

        • To remove a selected service group, click . To remove all selected service groups, click .

      • Service Parameters: Choose this, click Add, and specify the following:

        • PROTOCOL: Choose one of the following from the drop-down list:

          • TCP: The Transmission Control Protocol complements the Internal Protocol (IP) and provides an ordered and error-checked delivery of data among applications on devices that communicate through an IP network. Be sure to select a TCP Flag.

          • UDP: The User Datagram Protocol is an Internet Protocol that provides (1) checksums for data integrity and (2) port numbers for addressing different functions at the source and destination. Be sure to select a UDP Flag.

          • IP: Internet Protocol is the principal communication protocol that delivers data packets from source to destination, based solely on the IP addresses in the packets' headers.

          • ICMP: Routers and other network devices use the Internet Control Message Protocol to send operational information and error messages that indicate success or failure during communication between devices and IP addresses. Be sure to select an ICMP Flag;
            choose one of the following parameters to specify the type of ICMP traffic you want to track for this firewall rule:

            • NONE: No ICMP flag is specified. Include all outgoing and incoming traffic that uses the ICMP protocol for communication.

            • INBOUND_TTL: Include incoming traffic that exceeds the TTL (time to live) or has the "time exceeded in transit" message.

            • INBOUND_REDIRECT: Include incoming traffic that has the "out-of-band" message for redirecting traffic to another system.

            • OUTBOUND_PING: Include outgoing ICMP echo requests from the source port.

            • ICMP_INBOUND_ALL: Include all incoming traffic from the destination port.

            • ICMP_OUTBOUND_ALL: Include all outgoing traffic from the source port.

            • ICMP_INBOUND_PING: Include incoming ICMP echo responses from the destination port.

        • SOURCE PORT: Enter a number from 1 to 65535, or type ANY.

        • DESTINATION PORT: Enter a number from 1 to 65535, or type ANY.

        • PROTOCOL FLAG: Depending on the chosen protocol, specify the following:

          • NONE: No protocol has been configured.

          • INCOMING: The protocol for incoming traffic.

          • OUTGOING: The protocol for outgoing traffic.

  2. Click Expand All to view additional details of the rules, and Collapse All to hide them.

  3. Click Save.

  4. Click Save & Close.