Policy-based routing (PBR)

In addition to routing based on standard packet properties such as destination IP address, Kaspersky SD-WAN supports Policy-Based Routing (PBR). This type of routing is based on the use of policies, that is, sets of routing rules, or IP rules, created by the user (administrator or tenant administrator) and stored on the device. The following are some examples of use cases for PBR routing:

• Redirecting traffic for user-specified networks to bypass the firewall in case of problems with the firewall

• Redirecting internet-bound traffic for user-specified networksvia SD-WAN towards a gateway that acts as a single point of internet access for all CPE devices

You can create and view routing rules both on the command line of the CPE device using commands of the the iproute2 toolkit as well as from the graphical interface of the orchestrator. This section describes managing routing rules in the graphical interface of the orchestrator.

Managing IP routing rules

You can view the table of IP rules in a CPE template and on a CPE device:

• To view the table of IP rules in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and in the sidebar, select the PBR section.
• To view the table of IP rules on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and in the sidebar, select the PBR section.

Information about IP rules is displayed in the following columns of the table:

• Priority is the rule priority. Rules with a lower priority value are applied earlier.
• Status is the status of the rule. Possible values:
  • Enabled means the rule is active.
  • Disabled means the rule is inactive.
• IP Protocol is the encapsulated protocol. The following values are possible:
  • TCP
  • UDP
  • ICMP
  • SCTP
  • AH
  • ESP
  • GRE
  • IPIP
• Source host or network is the host or network of the source.
• Source port is the source port.
• Source network interface is the inbound interface to be matched. If the interface is a loopback interface, the rule matches only packets originating from this host.
• Destination host or network is the host or network of the destination.
• Destination port is the destination port.
• Destination network interface is the outbound interface to be matched. The outbound interface is available only for packets originating from local sockets bound to the device.
• "sdwan.pbr.ip.rule": "IP address rule",
• "sdwan.pbr.lookup.vrf": "Lookup VRF",
• "sdwan.pbr.max.rules.hint": "{currentValue} out of {maxValue} rules already created",
• "sdwan.pbr.port.hint": "You can enter either a single value or a range of values from 1 to 65535 separated by a dash. Examples:<br></br>443<br></br>1024-65535",
• "sdwan.pbr.priority.hint": "The lower the priority value, the earlier it is applied.",
• "sdwan.pbr.src.interface.hint": "Incoming interface to match. If the interface is a loopback, the rule only matches packets originating from this host.",
• "sdwan.pbr.vrf.main.error": "Unable to save rule for this VRF: source IP address other than 0.0.0.0/0 must be specified.",
• VRF is the VRF in which the search for routes is performed.
• Actions lists actions that can be performed with the IP rule (enable, disable, edit, delete).

Creating an IP rule

You can create an IP rule in a CPE template or on a CPE device. IP rules created in the CPE template are automatically created on all CPE devices that use this CPE template.

To create an IP rule:

1. Create an IP rule in one of the following ways:
   • If you want to create an IP rule in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and in the sidebar, select the PBR section.
   • If you want to create an IP rule on a CPE device, go to the SD-WAN → CPE menu section, click the CPE device, and in the sidebar, select the PBR section.

   A table of IP rules is displayed.

2. Click the + IP rule button.
3. This opens a window; in that window, in the Priority field, enter the rule priority. Rules with a lower priority value are applied earlier. This value must be unique.
4. In the IP Protocol drop-down list, select the IP protocol. The following values are possible:
   • TCP
   • UDP
   • ICMP
   • SCTP
   • AH
   • ESP
   • GRE
   • IPIP
5. Under Source and Destination, specify source and destination settings for the IP rule as necessary:
   • Select the source or destination Type: host or network.
   • Depending on the selected Type, in the field below, specify the following:
     • Source or destination IP address if you selected the Host type (the caption of the field is then IP address.
     • Source or destination IP address and mask if you selected the Network type (the caption of the field is then IP/mask.
   • In the Port field, specify the source or destination port.

     You can enter a single value or a range of values from 1 to 65,535 with a hyphen, for example: 443, 1024-65535.

   • In the Network interface alias drop-down list, select the source (inbound) interface or destination (outbound) interface.

     If the inbound interface is a loopback interface, the rule matches only packets originating from this host. The outbound interface is available only for packets originating from local sockets bound to the device.

6. In the Lookup VRF drop-down list, select the VRF to search for routes.

   If you select main/254, then under Destination, you need to specify a source IP address other than 0.0.0.0/0, otherwise the rule cannot be saved.

7. Click Create.

   The IP rule is created and displayed in the table.

8. In the lower part of the settings area, click Save to save the settings of the CPE template or CPE device.

Editing an IP rule

You can create IP rules in a CPE template or on a CPE device. IP rules edited in the CPE template are automatically modified on all CPE devices that use this CPE template.

To edit an IP rule:

1. Edit an IP rule in one of the following ways:
   • If you want to edit an IP rule in a CPE template:
     • In the menu, go to the SD-WAN → CPE templates section, click the CPE template, and in the sidebar, select the PBR section.
     • In the displayed table of IP rules, in the Actions column, click the Edit button for the rule that you want to edit.
   • If you want to edit an IP rule on a CPE device:
     • In the menu, go to the SD-WAN → CPE section, click the CPE device, and in the sidebar, select the PBR section.
     • In the displayed table of IP rules, in the Actions column, click the Edit button for the rule that you want to edit. If the IP rule was inherited from a template, first select the Override check box for the rule to display the Edit button.
2. This opens a window; in that window, edit the IP rule settings that you want to change: For a description of the settings, see the instructions for creating an IP rule.
3. Click Save.

   The IP rule is modified and updated in the table.

4. In the lower part of the settings area, click Save to save the settings of the CPE template or CPE device.

Deleting an IP rule

You can delete IP rules in a CPE template or on a CPE device. IP rules deleted in the CPE template are automatically deleted on all CPE devices that use this CPE template. On a CPE device, you can delete only those IP rules that were added directly on the device, but you cannot delete IP rules inherited from the template.

Deleted IP rules rules cannot be restored.

To delete an IP rule:

1. Delete an IP rule in one of the following ways:
   • If you want to delete an IP rule in a CPE template, go to the SD-WAN → CPE templates menu section, click the CPE template, and in the sidebar, select the PBR section.
   • If you want to delete an IP rule that was not inherited from the CPE template, go to the SD-WAN → CPE menu section, click the CPE device, and in the sidebar, select the PBR section.

   A table of IP rules is displayed.

2. Click Delete next to the IP rule that you want to delete.
3. In the confirmation window, click Delete.

   The IP rule is deleted and is no longer displayed in the table.

4. In the lower part of the settings area, click Save to save the settings of the CPE template or CPE device.