What should I do about forwarding
Not forwarding?
When initially reviewing traffic reported via DMARC for a domain, you will want to pay attention to traffic identified as "Forwarded", and try to determine whether the listed entries might actually be first-party senders that just don't authenticate well enough yet. Many environments have the capability to both generate new messages, and to forward messages to a different mailbox: this means that how dmarcian categorizes the reported traffic can depend on factors such as how well it authenticates.
The source rules that dmarcian applies to traffic categorizations attempt to identify whether traffic is first-party in some regard, forwarded, or something else : threat/unknown. These categorization determinations are made solely based on the information provided in DMARC reports we see for your domain, with an important component being the authentication success.
Your own understanding of your organization's mail policies and vendor relationships must be applied to the Forwarding view: if you see a source listed as a Forwarder but you believe it to be a first-party sender, you'll need to take that information and work with the sender to more completely authenticate messages; once that change is visible in reported traffic, new listings will show up in DMARC-Capable.
Longer term: once you have moved your domains to p=reject or just feel that you have gotten all traffic authenticating as well as possible, you will find less need to check into traffic categorized as forwarded; you cannot forbid recipients from forwarding messages, so there will almost always be some messages shown in this category.
Actually forwarding?
Once you send email to a recipient, there is nothing you can do to prevent them from forwarding the message elsewhere; this is just a facet of how email works. Similarly, you have no control over what that recipient environment does to your original message before/as it performs forwarding.
Unless the recipient performing the forwarding a) preserves the original message's Return-Path and b) is within an infrastructure specified by your domain's SPF record, SPF is expected to always fail when email is forwarded. As such, the original sender must DKIM sign messages for your domain, if you want that traffic to have any reasonable chance of passing DMARC when it is forwarded.
If a significant amount of traffic is reported as forwarding via a given destination environment (you can often identify this by a new domain in the SPF domain column in the Detail Viewer), sometimes it can be helpful for you to reach out to your recipient(s) at that domain to inquire about the forwarding practice that they are employing.