Policy-based routing policy
Policy conditions consist of a variety of selection criteria that act as filters for policy-based routing (Routing) rules. Traffic can be filtered based on source addresses, destination addresses, source port range, destination port range, protocol, job name, security zone, and security label. For more details, see Policy-based routing.
Routing policy rules can refer to one or more policy conditions. A policy rule with a single policy condition is known as a simple rule, and one with more conditions is known as a complex rule. Complex routing policy rules have their conditions evaluated according to Conjunctive Normal Form (CNF), which means an ANDed set of ORed conditions. For details about CNF, see Policy object model overview.
When routing rules are read and parsed, Policy Agent creates the rule as a complex rule. For example, consider the following RoutingRule statement:
RoutingRule rule1
{
TrafficDescriptorGroupRef tdGroup
IpSourceAddrGroupRef addrGroup
RoutingActionRef action1
}
TrafficDescriptor td1
{
SourcePortRange 1-5
DestinationPortRange 10
SecurityZone zone1
SecurityLabel label1
JobName jobABC1
}
TrafficDescriptor td2
{
SourcePortRange 6-9
DestinationPortRange 25
SecurityZone zone2
SecurityLabel label2
JobName jobABC2
}
TrafficDescriptorGroup tdGroup
{
TrafficDescriptorRef td1
TrafficDescriptorRef td2
}
IpAddrGroup addrGroup
{
IpAddr
{
Addr 9.1.1.1
}
IpAddr
{
Addr 10.1.1.1
}
}
This rule is represented as a CNF rule with the following condition levels (levels are ANDed together):
- Level 1 = source address 9.1.1.1 OR source address 10.1.1.1
- Level 2 = (source port range 1-5 AND destination port range 10 AND job name jobABC1 AND security zone zone1 AND security label label1) OR (source port range 6-9 AND destination port range 25 AND job name jobABC2 AND security zone zone2 AND security label label2)
The pasearch command displays the Routing policy as a complex rule.