[ScreenOS] Configuration Example on how to redirect Web traffic to a Proxy Server using PBR (Policy-Based Routing)

  [KB24139] Show Article Properties


Summary:

This article provides a configuration example on how to redirect the Web traffic to a Proxy server using PBR (Policy-Based Routing).

Symptoms:

The requirement is to configure the firewall in a way that the particular traffic is forwarded to the Proxy server first and then goes outside the network.


Most proxies are a Web proxy, allowing access to content on the Internet.

Solution:

In the following example, all traffic destined for port 80 and 443 has to be forwarded to a transparent Web Proxy Server in the network environment with destination port translated to 8080 or some other port. Then, from the proxy server, the requests are forwarded to an outside network, so that this traffic can be monitored and filtered as required on the proxy server. To support such a requirement, the firewall is configured as follows:

  1. A PBR is used to forward the traffic for port 80 and 443 towards the proxy server in DMZ. The PBR will be preferred over the destination based routing or other types of routing (SBR/SIBR) and prevent traffic from being directly forwarded to the Untrust zone.

  2. A policy is created to allow traffic from the Trust zone to DMZ for HTTP and HTTPS services. NAT-dst is enabled to translate the destination address in the traffic to that of the proxy server and port 8080 (or whatever requirement is for the proxy server).

  3. A policy is created from DMZ to Untrust to allow traffic from the proxy server to the Internet.
 

Configuration:

set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "Untrust"
set interface "ethernet0/2" zone "DMZ"

set interface ethernet0/0 ip 192.168.1.1/24
set interface ethernet0/0 nat
set interface ethernet0/1 ip 2.2.2.1/30
set interface ethernet0/1 route
set interface ethernet0/2 ip 1.1.1.1/30
set interface ethernet0/2 nat

set vrouter trust-vr   <-- Enter in to the vrouter in which route lookup has to take place, e.g. trust-vr here
set access-list extended 1 src-ip 192.168.1.0/24 dst-port 80-80 protocol tcp entry 1
set access-list extended 1 src-ip 192.168.1.0/24 dst-port 443-443 protocol tcp entry 2
set match-group name test
set match-group test ext-acl 1 match-entry 1
set action-group name test
set action-group test next-interface ethernet0/2 next-hop 1.1.1.2 action-entry 1
set pbr policy name test
set pbr policy test match-group test action-group test 1
exit  <-- exit from the vrouter
set interface ethernet0/0 pbr test

set policy id 1 from "Trust" to "DMZ" "192.168.1.0/24" "Any" "ANY" nat dst ip 1.1.1.2 port 8080 permit log
set policy id 2 from "DMZ" to "Untrust" "1.1.1.2/32" "Any" "ANY" permit

set route 0.0.0.0/0 int eth0/1 gateway 2.2.2.2
Note: For information about PBR traffic across multiple VRs, refer to KB9404 - Configuration tip - Policy Based Routing (PBR) not working across multiple Virtual Routers (VR).
Modification History:

2019-09-10: Added notes (highlighted in blue) to point out important lines in the configuration example.

Related Links: