Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuration Example on how to redirect Web traffic to a Proxy Server using PBR (Policy-Based Routing)

0

0

Article ID: KB24139 KB Last Updated: 11 Sep 2019Version: 4.0
Summary:

This article provides a configuration example on how to redirect the Web traffic to a Proxy server using PBR (Policy-Based Routing).

Symptoms:

The requirement is to configure the firewall in a way that the particular traffic is forwarded to the Proxy server first and then goes outside the network.


Most proxies are a Web proxy, allowing access to content on the Internet.

Solution:

In the following example, all traffic destined for port 80 and 443 has to be forwarded to a transparent Web Proxy Server in the network environment with destination port translated to 8080 or some other port. Then, from the proxy server, the requests are forwarded to an outside network, so that this traffic can be monitored and filtered as required on the proxy server. To support such a requirement, the firewall is configured as follows:

  1. A PBR is used to forward the traffic for port 80 and 443 towards the proxy server in DMZ. The PBR will be preferred over the destination based routing or other types of routing (SBR/SIBR) and prevent traffic from being directly forwarded to the Untrust zone.

  2. A policy is created to allow traffic from the Trust zone to DMZ for HTTP and HTTPS services. NAT-dst is enabled to translate the destination address in the traffic to that of the proxy server and port 8080 (or whatever requirement is for the proxy server).

  3. A policy is created from DMZ to Untrust to allow traffic from the proxy server to the Internet.
 

Configuration:

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Untrust"
set interface "ethernet0/2" zone "DMZ"

set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/1 ip 2.2.2.1/30
set interface ethernet0/1 route
set interface ethernet0/2 ip 1.1.1.1/30
set interface ethernet0/2 nat

set vrouter trust-vr   <-- Enter in to the vrouter in which route lookup has to take place, e.g. trust-vr here
set access-list extended 1 src-ip 192.168.1.0/24 dst-port 80-80 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.1.0/24 dst-port 443-443 protocol tcp entry 2
set match-group name test
set match-group test ext-acl 1 match-entry 1
set action-group name test
set action-group test next-interface ethernet0/2 next-hop 1.1.1.2 action-entry 1
set pbr policy name test
set pbr policy test match-group test action-group test 1
exit  <-- exit from the vrouter
set interface ethernet0/0 pbr test

set policy id 1 from "Trust" to "DMZ" "192.168.1.0/24" "Any" "ANY" nat dst ip 1.1.1.2 port 8080 permit log
set policy id 2 from "DMZ" to "Untrust" "1.1.1.2/32" "Any" "ANY" permit

set route 0.0.0.0/0 int eth0/1 gateway 2.2.2.2
Note: For information about PBR traffic across multiple VRs, refer to KB9404 - Configuration tip - Policy Based Routing (PBR) not working across multiple Virtual Routers (VR).
Modification History:

2019-09-10: Added notes (highlighted in blue) to point out important lines in the configuration example.

Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search