Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Why is the Policy-Based Routing (PBR) not working when applied at the VR-level or Zone-level?

0

0

Article ID: KB9403 KB Last Updated: 26 May 2019Version: 8.0
Summary:

Configuring PBR (Policy-Based Routing) on a Juniper firewall, the policy is not checked when applying the policy at either the VR-level or Zone-level. The policy is checked when applied at the Interface-level.

Symptoms:
  • Policy is not checked when applied at either the VR level or Zone level
  • Policy is checked when applied at the interface level
  • When you create a policy based routing policy or PBR, you apply the policy to the zone, but you do not see the traffic hit this policy in the debug. Instead, the normal destination based route is used and traffic is sent out the wrong interface or is dropped.
Solution:

Even though the policy is not APPLIED at the interface, each ingress interface must be ENABLED for PBR.  In addition to enabling it on the ingress interface, you must also select the policy for that particular interface.

From the WebUI:

Browse to Network > Routing -> PBR > Policy Binding
Select each interface and click the "Enable" check-box.

From the CLI:

Enable PBR for the ingress interface under the VR using the following commands:

set vr trust
set interface <interface> pbr
exit


Example of a valid PBR configuration:

set access-list extended 10 src-ip X.X.X.X/32 entry 1
set match-group name match
set match-group match ext-acl 10 match-entry 1
set action-group name pbr_to_dmz
set action-group pbr_to_dmz next-hop X.XX.X.XX action-entry 1
set pbr policy name pbr_policy
set pbr policy pbr_policy match-group match action-group pbr_to_dmz 1
exit
set interface ethernet2/4 pbr pbr_policy
set zone Trust pbr pbr_policy

Modification History:
2019-05-25: Minor, non-technical edit.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search