Knowledge Search


[ScreenOS] Why is the Policy-Based Routing (PBR) not working when applied at the VR-level or Zone-level?

  [KB9403] Show Article Properties


Configuring PBR (Policy-Based Routing) on a Juniper firewall, the policy is not checked when applying the policy at either the VR-level or Zone-level. The policy is checked when applied at the Interface-level.

  • Policy is not checked when applied at either the VR level or Zone level
  • Policy is checked when applied at the interface level
  • When you create a policy based routing policy or PBR, you apply the policy to the zone, but you do not see the traffic hit this policy in the debug. Instead, the normal destination based route is used and traffic is sent out the wrong interface or is dropped.

Even though the policy is not APPLIED at the interface, each ingress interface must be ENABLED for PBR.  In addition to enabling it on the ingress interface, you must also select the policy for that particular interface.

From the WebUI:

Browse to Network > Routing -> PBR > Policy Binding
Select each interface and click the "Enable" check-box.

From the CLI:

Enable PBR for the ingress interface under the VR using the following commands:

set vr trust
set interface <interface> pbr

Example of a valid PBR configuration:

set access-list extended 10 src-ip X.X.X.X/32 entry 1
set match-group name match
set match-group match ext-acl 10 match-entry 1
set action-group name pbr_to_dmz
set action-group pbr_to_dmz next-hop X.XX.X.XX action-entry 1
set pbr policy name pbr_policy
set pbr policy pbr_policy match-group match action-group pbr_to_dmz 1
set interface ethernet2/4 pbr pbr_policy
set zone Trust pbr pbr_policy

Modification History:
2019-05-25: Minor, non-technical edit.
Related Links: