Generic Policy-Based Routing (PBR)

Overview

Generic Policy-Based Routing (PBR) allows you to override the default routing behavior of a Tufin-monitored device by defining custom routing rules. Implementing PBR enhances topology path accuracy and improves automation outcomes by providing a more precise and dynamic view of the network.

See Generic PBR Rule Impact and Generic PBR Rule behavior.

Configuring Generic PBR in TOS requires policy rules that match the traffic, and route maps for devices that determine how matching traffic is forwarded. You can create and manage PBRs and their route maps programmatically through the Network Topology APIs.

Generic PBR Rule Impact

After configuring Generic PBR rules for Tufin-monitored devices, you can view the impact of these rules in these features:

  • TOS - Policy Analysis
  • All Tufin features that use path calculation:

    • Automatic Target Suggestion

    • Designer

    • Verifier

    • Connection Status and Connection Analysis

    • Path Finder in the Map

    • Path calculation using API

Generic PBR Rule behavior

For devices with native PBR support, such as Cisco IOS, Generic PBR rules when configured override any existing native PBR configuration.
  • Scope

    PBR rules run in parallel to security policy. PBR is not a firewall policy, and does not enforce allow/deny decisions.

  • Priority

    PBR rules are evaluated in ascending order of priority (lower values equal higher priority). When a rule matches, it overrides the device’s standard routing table. If there are no rule matches, standard routing applies.

  • Traffic redirection

    PBR applies only to traffic originating behind the gateway. Return traffic from externally initiated sessions follows standard routing.

Network Topology APIs for Generic PBR

The Network Topology API provides methods to programmatically add and manage generic PBR policies and route maps.

API method

Description

Generic PBR APIs

POST /topology/generic/policy

Add one or more generic PBRs with one or more rules combining different combinations of services.

PUT /topology/generic/policy

Update one or more existing generic PBRs.

GET /topology/generic/policy/{id}

Retrieve the generic PBR specified by the policy ID.

GET /topology/generic/policy

Retrieve the generic PBR specified by the PBR name, or all PBR policies if the name is not specified.

DELETE delete /topology/generic/policy/{id}

Delete the generic PBR specified by the policy ID.

Route map APIs

POST /topology/generic/routemap/device/{deviceId}

Add one or more generic route maps for the device specified by device ID.

GET /topology/generic/routemap/device/{deviceId}

Get the generic route maps configured for the device specified by device ID.

DELETE /topology/generic/routemap/device/{deviceId}

Delete all the generic route maps configured for the device specified by device ID.