Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Network Routes Policy-Based Routes Source-Based Route
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Source-Based Route")}}

Source-Based Route

{{ $t('productDocDetail.updateTime') }}: 2026-02-05

When multiple lines connect to the internet, define the matching conditions according to the source/destination IP addresses, ports, protocols, and applications. Select and specify the line's outbound interface or next-hop IP address for traffic matched with conditions, such as a multi-ISP routing scenario. Click Add and select Source-Based Route, as shown in the figure below.

 

Route Type: You can select Source-Based Route or Link Load-Balancing Route.

Protocol: You can select IPv4 or IPv6.

Name: Fill in the corresponding name.

Description: Fill in the description of the route.

Schedule: Specify the effective time range of the policy.

Move To: Put the policy before X, and the matching order is from top to bottom.

Data Packet: Filter and select the corresponding data packet information for matching.

Src Zone: The source zone for matching.

Src Address: The source network object for matching, which is then filtered source IP address.

Destination: The destination address for matching. Network Object, ISP, and Country/Region are optional for calling.

Network Object: Call network objects configured according to the actual situation.

ISP: Perform routing according to ISPs. China Telecom, China Unicom, CERNET, and China Mobile are currently supported.

Country/Region: Perform selection by country/region.

Services: The service objects that need to be matched, as shown in the figure below.

Applications: The applications that need to be matched, as shown in the figure below.

Applications are hidden by default. Go to System > General Settings > Network and check the Allow associating policy-based routes with applications checkbox.

Interface and Next-Hop IP: Set the next-hop IP address and outbound interface for the next-hop direction of traffic sent to the destination IP address.

Reliability Detection: You can select No or Link State.

Route Priority: Specify the device's route priorities. You can click Settings to change the priority.

Configuration Case

A user wants to access an online bank with the address 100.100.100.100 using the HTTPS access protocol. The online bank will verify the IP address used for accessing. The online bank will deny access if the source IP address in the same connection is changed. In this case, set a policy-based route and specify that the data accessing the destination IP address is permanently sent out through the line connected to the eth1 interface.

Step 1.On the Navigation Menu page, choose Network > Routes > Policy-Based Route, click Add, select Source-based route for Route Type, and select IPV4 for Protocol. Fill in the fields under Basics and Data Packet, as shown below.

Step 2.Configure the outbound interface: eth1, as shown in the following figure.

Step 3.Click Save to complete the configuration, as shown in the following figure.