Here comes an example on how to configure policy-based routing (PBR) on a Juniper ScreenOS firewall. The requirement at the customers site was to forward all http and https connections through a cheap but fast DSL Internet connection while the business relevant applications (mail, VoIP, ftp, …) should rely on the reliable ISP connection with static IPv4 addresses.
I am showing the five relevant menus to configure PBR on the ScreenOS GUI.
The software version running during this test on the Juniper SSG5 was 6.3.0r16a.0.
Policy within five Submenus
The PBR configuration is straightforward through the five submenus under Network -> Routing -> PBR. The Extended ACL defines the relevant IP & Port connections which are grouped in a Match Group. The Action Group defines the forwarding to the DSL router. The Match and Action Group are tied together in a Policy which is then added to an interface in the Policy Binding.
As always, here are my configuration screenshots:
I was not quite sure on which VR/Zone/Interface the policy must be binded to. This document from Juniper points to the interface while this refers to the zone and the interface. However, it worked after binding the policy to the interface only and it worked after an additional binding to the zone, too.
Of course, a security policy must also be configured. For the sake of completeness I am showing my single policy with a SNAT, too:
PBR with different Virtual Routers
I also tried the concept with two virtual routers – one for each ISP connection. In this way, incoming connections through the DSL router would be possible, e.g., for VPNs, because it has its own default route back to the Internet. Unfortunately I was not able to correctly configure the policy-based routing to another virtual router though I followed this document from Juniper. Maybe I misunderstood something about the “self-referenced host route”. However, in my opinion this concept from Juniper looks not reliable at all. Therefore, I am using the normal PBR scenario without having the possibility to accept incoming connections.