Re: FTD PBR Question

benolyndav · ‎02-18-2026

Hi

I have been labbing this up and have come to the conclusion that when using FTD PBR a default route is still required, I have tried everything and without a default route traffic is routed via an interface not stipulated as (egress interface) in the PBR policy

Does this sound correct or am I doing something wrong please.??

Thanks

Rob Ingram · ‎02-18-2026

@benolyndav in the past I had a default route for normal traffic via ISP1, then used PBR to match explict traffic a route that via a different interface (ISP2) - that worked fine. Example

If you run packet-tracer from the CLI, that should do a pbr lookup and provide a clue, or at least confirm if pbr is doing something.

benolyndav · ‎02-18-2026

@Rob Ingram The problem is we already have a default route pointing to another next hop, I tried this placing the destination interface in a user defined vrf and added a default route and it worked so default in vrf and default in global, do you think this is the only way I can achieve my requirement using (vrf)

Thanks

Rob Ingram · ‎02-18-2026

@benolyndav looks like PBR only works with the global virtual router only.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/100/management-center-device-config-10-0/routing-vrf.html

benolyndav · ‎02-18-2026

@Rob Ingram the Destination interface is in the vrf and not the source interface which is ok according to Cisco docs and packet-tracer looks ok too.?

Rob Ingram · ‎02-19-2026

@benolyndav sorry, I've not tried that scenario, I'd have to lab it to confirm either way.