Tuesday, September 17, 2013

Juniper NetScreen Firewall Policy Routing

Policy routing on firewalls may not that much important for many organizations,but there might come up few occasions where we need to implement policy based routing,the idea of this post is to elaborate applying of PBR's on NetScreen firewalls which having Screen OS.
Important thing is that I strongly suggest you to not to use GUI when you are doing PBR configuration on you NetScreen Firewall.

these commands are applied and tested on NetScreen SG520M firewall appliance.
(Bold italic commands need to be replaced with your own choice)

1.Step - First We need to enter to the virtual router "trust-vr"
           
             SSG520(M)-> set vrouter trust-vr
             SSG520(trust-vr)(M)->

2.Step - Need to create the Extended Access List for match the traffic for the PBR.
              (In Screen OS 6.3 you can create extended ACL's with in range 1 - 99 )

            SSG520(trust-vr)(M)-> set access-list extended 10 src-ip 192.168.2.1 
            255.255.255.255 dst-ip 8.8.8.8 255.255.255.255  protocol any entry 1

3.Step - Need to create the Match Group to match the created ACL

             SSG520(trust-vr)(M)-> set match-group name Match_group_1


4.step -  Now bind the ACL to the match group         
    
             SSG520(trust-vr)(M)-> set match-group Match_group_1 ext-acl 10 
             match-entry 1
5.step - create the action group to indicate which action you want to perform on
             the match group

             SSG520(trust-vr)(M)-> set action-group name Action_group_1

6.step - create a action for the created action group
   
             SSG520(trust-vr)(M)-> set action-group Action_group_1 next-hop 
             10.10.10.1 action-entry 1 

7.step - create a PBR policy to bind the match group with the action group

             SSG520(trust-vr)(M)->set pbr policy name Pbr_policy_1 

8.step - Bind the match group & action group togeher with created policy

            SSG520(trust-vr)(M)->set pbr policy Pbr_policy_1 match-group 
            Match_group_1 action-group Action_group_1  1

9.step - Now finally apply the created policy to the desired interface,but first make 
            sure you have exit from the v-router trust-vr

             SSG520(M)->set interface eth0/1 pbr Pbr_policy_1

Thats all,there is few important things you should remember when creating pbr's,in juniper screen OS ,you cannot apply PBR's on egress interfaces make sure you apply them on your ingress interface.
do various experiment on PBR's you will find more things to do rather than described in here.


            
            



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)