In this architecture:
A secure web proxy is introduced to inspect and filter all web (HTTP/HTTPS) traffic.
Remaining traffic (non-web) must pass through an NGFW with IPS capabilities.
Both the web proxy and NGFW reside between the collapsed distribution/core and internet edge.
To enforce that all web traffic is directed to the proxy appliance for inspection and non-web traffic follows its usual path to the NGFW:
A. Policy-Based Routing (PBR) on the Collapsed Core
This allows traffic classification based on destination port (e.g., TCP 80/443) and selectively reroutes web traffic to the proxy. Non-web traffic continues toward the NGFW. PBR is essential here because traditional routing (based only on destination IP) would not differentiate between traffic types.
D. Static Routing on the Appliance
The proxy appliance must return the traffic back toward the NGFW for final processing and internet egress. This is typically achieved using static routes on the proxy device, ensuring the return path sends packets back to the correct firewall interface for consistent inspection.
❌ B. Policy-based routing on the internet edge: Not applicable here, as rerouting must occur closer to the source (collapsed core), before traffic reaches the internet edge.
❌ C. Policy-based routing on firewalls: This adds unnecessary complexity. Firewalls should focus on enforcing security policies, not traffic redirection logic in this scenario.
This approach adheres to CCDE v3.1 best practices by separating policy enforcement functions and enabling scalable, deterministic traffic flow through layered security appliances.