Configure PBR on FMC

zufayri · ‎01-22-2024

Hi Community,

I want to configure new implementation to route certain source traffic via different interface. I have 2 OUTSIDE interfaces and 2 interface inside. I want to divide the outbound traffic via WAN and O-365. Load balancer will determine which IP is going to 2 of my inside interface. If user went to outlook or 365 it will follow path interface 1/3 & 1/4 and else, it will go to interface 1/1 & 1/2. current FMC and FTD version is 7.2.5.

1/1 - 133.133.1.22

1/2 - 211.25.10.50 (WAN)

1/3 - 10.10.11.100

1/4 - 202.168.100.2(O-365)

From extended I do:

Default : src-any, dest-Wan Gateway

O-365 : src-any, dest-O365 gateway

PBR :

Ingress- 1/1 | traffic match - Default | sent through - 1/2

Ingress- 1/3 | traffic match - O-365 | sent through - 1/4

Static Route:

Network-any, Interface 1/1, gateway 1/1, metric 1

Network-any, Interface 1/3, gateway 1/3, metric 1

Network-any, Interface 1/2, gateway 1/2, metric 20

Network-any, Interface 1/4, gateway 1/4, metric 20

I also configured ECMP for Interface WAN and O-365

From my setup below is it still need to configure at flexconfig FMC or is my configuration above is enough? Need your expertise to comment my setup.

balaji.bandi · ‎01-22-2024

FMC 7.1 onwards PBR configured using GUI - that is good enough to work :

check below guide :

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/routing-policy-based.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zufayri · ‎01-22-2024

Hi balaji,

I have follow this guide also but for path monitoring I dont configured as the two ISP have their own traffic. just my concern is from internal, most of the KB and guide show internal only have one interface but this have two. so I dont quite understand how Load balance will split the traffic to both of the internal interface.

balaji.bandi · ‎01-22-2024

I want to check how is your interface configuration and what zone they are ?

can you provide relevant config related to interface and PBR, Route

confirm except the PBR its generally working ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zufayri · ‎01-22-2024

Hi @balaji.bandi

both internal zone set as LAN and both ISP zone set as WAN

This is new implementation so no testing yet as this will be replace sonicwall PBR. most of Sonicwall PBR use PBR src-any, dst-any, interface-internal but gateway is 0.0.0.0, Cisco can do gateway 0.0.0.0 for interface?

MHM Cisco World · ‎01-22-2024

I dont think Load balance can load traffic in your case since all traffic pass to FW and from there must flow to correct path.

So You need flexconfig and config pbr.

Note:- now fmc support directly fmc no need pbr' it depend on fmc version.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/routing-policy-based.html

MHM

zufayri · ‎01-22-2024

Hi @MHM Cisco World

So meaning flexconfig also need to be configured? do you have guide to configured flexconfig?

MHM Cisco World · ‎01-22-2024

but I see you comment that there your FMC support pbr so no need flexconfig
for two inside interface
config two PBR one for each inside interface
the ACL you can config it with permit any any
MHM