BJ
Uploaded byBart Jansens
KEY, PPTX239,251 views

Netscreen Policy Based Routing

Policy-based routing (PBR) on Juniper NetScreen firewalls allows routing decisions to be based on various packet attributes like source/destination addresses, ports, and protocols. This provides flexibility to redirect traffic in different ways, such as sending all HTTP traffic through a transparent proxy server or distributing traffic across multiple internet connections. The configuration involves creating extended ACLs to match traffic, match groups to group ACLs, action groups to define routing actions, policies to combine matches and actions, and binding policies to interfaces or virtual routers. Keeping PBR configurations simple and leaving room for future policies is recommended.

EducationTechnology
In this document
Powered by AI

Introduction to Policy Based Routing (PBR) on Juniper netscreen firewalls, which involves making routing decisions based on combinations of source/destination IP addresses, ports, protocols, and goals like traffic management.

To implement PBR, the requirement is to have ScreenOS 5.4 or later on Juniper netscreen firewalls.

Configuration steps include using Extended ACLs, Match Groups, Action Groups, Policy creation, and Policy Binding, along with their functions in routing decisions.

PBR needs to be enabled on every inbound interface, with tips on using CLI, avoiding policy renumbering, and keeping configurations simple.

Strategies for Cross-VR PBR and Bypassing PBR, detailing methods to redirect traffic while maintaining some exceptions.

Real-world examples of using PBR for multiple ISPs and Transparent Proxy setups, with configuration commands and requirements.

Closing slide with invitation for questions and contact information of the presenter.

Embed presentation

Download as KEY, PPTX
Policy Based Routing on Juniper netscreen firewalls
What? • Routing decision based on any combination of • source address • source port • destination address • destination port • Protocol • IP Type of Service
Why? • Redirect all HTTP traffic via a transparent proxy server • Distribute traffic across multiple internet connections
Requirements • ScreenOS 5.4 or later
Configuration
Configuration steps • Extended ACLs • Match Groups • Action Groups • Policy • Policy Binding
Extended ACL • Criteria for matching certain traffic • Each ACL has a numeric ID • Each ACL can contain multiple matching rules
Match group • Grouping of one or more extended ACLs • Has a human-readable name
Action Group • Group of one or more actions to perform • Actions are routing decisions • Send to interface eth0/1 • Send to gateway 1.2.3.4 • Send to gateway 1.2.3.4 via eth0/1 • First available action is used • send to interface is available when interface status is UP • send to gateway is available when a route to that gateway exists
Policy • Combines matching groups and action groups to make routing decisions • When there is no policy match, the regular routing tables are used
Policy binding • The PBR policy can be bound to • a virtual router • a zone • an interface • When different policies are configured on different levels, the most specific is used • Interface > Zone > Virtual router
Enabling PBR • PBR needs to be enabled individually on every inbound interface • Most people forget to do this, it is very well hidden in the WebUI
Tips & Tricks
Tips • If at first you don’t succeed, use the CLI, the WebUI is pretty error prone • Policies can’t be renumbered. Don’t start with policy id 1, leave some room for future policies • Keep it simple, don’t duplicate the regular routing tables in PBR
Cross-VR PBR • PBR is restricted to a single virtual router • But there is a trick • Create an action group with only a gateway IP, no interface • Create a /32 route for the gateway IP • Details: http://kb.juniper.net/KB9017
Bypassing PBR • Use case: Redirect all HTTP traffic to a proxy, except for the traffic originating from that proxy • There is no “do nothing” action group • An action group always requires at least one action (in NSM) • Solution: route to an interface that is always down, like vlan1.
Examples
Multiple ISPs • Setup: • eth0/0 : Symmetric 2mbit connection for business traffic (default route) • eth0/1 : Assymetric 20mbit DSL connection for web traffic (PBR) • eth0/2 : Internal network
Multiple ISPs set vrouter trust-vr set access-list extended 1 dst-port 80-80 protocol tcp entry 10 set access-list extended 1 dst-port 443-443 protocol tcp entry 15 set match-group name http_traffic set match-group http_traffic ext-acl 1 match-entry 10 set action-group route_dsl set action-group route_dsl next-interface eth0/1 next-hop 1.2.3.4 action-entry 10 set pbr policy trust-policy set pbr policy trust-policy match-group http_traffic action-group route_dsl 10 set pbr trust-policy set interface ethernet0/2 pbr exit
Transparent Proxy • Setup: • eth0/0 : Untrust zone • eth0/1 : Proxy zone • eth0/2 : Trust zone
Transparent Proxy set vrouter trust-vr set access-list extended 1 dst-port 80-80 protocol tcp entry 10 set match-group name http_traffic set match-group http_traffic ext-acl 1 match-entry 10 set action-group route_proxy set action-group route_proxy next-interface eth0/1 next-hop 1.2.3.4 action-entry 10 set pbr policy trust-policy set pbr policy trust-policy match-group http_traffic action-group route_proxy 10 set pbr trust-policy set interface ethernet0/2 pbr exit set policy from Trust to Proxy any any HTTP permit
Questions? bart@motd.be http://bart.motd.be

More Related Content

PPTX
TCP and UDP
byRamesh Giri
 
PPT
MPLS (Multi-Protocol Label Switching)
byVipin Sahu
 
PPTX
Application Layer
byDr Shashikant Athawale
 
PPT
Routing
bySaima Azam
 
PPTX
Routing Protocols
byNetProtocol Xpert
 
PPTX
Multiprotocol label switching (mpls) - Networkshop44
byJisc
 
PPTX
Presentation Routing algorithm
byBasit Hussain
 
PPTX
Distance Vector Routing
byShouvikDhali
 
TCP and UDP
byRamesh Giri
 
MPLS (Multi-Protocol Label Switching)
byVipin Sahu
 
Application Layer
byDr Shashikant Athawale
 
Routing
bySaima Azam
 
Routing Protocols
byNetProtocol Xpert
 
Multiprotocol label switching (mpls) - Networkshop44
byJisc
 
Presentation Routing algorithm
byBasit Hussain
 
Distance Vector Routing
byShouvikDhali
 

What's hot

PPTX
Icon based visualization techniques
byWafaQKhan
 
PPTX
Routing protocols
byrajshreemuthiah
 
PPT
Basics Of Networking (Overview)
byashiesh0007
 
DOCX
Packet tracer practical guide
byNishant Gandhi
 
PDF
Lecture24
byDr Sandeep Kumar Poonia
 
PPT
Introduction to Real-Time Operating Systems
bycoolmirza143
 
PDF
MPLS - Multiprotocol Label Switching
byPeter R. Egli
 
PPTX
Routing Presentation
byMohsin Ali
 
PPTX
IPv4 Addressing
byTheGodfather HA
 
PPTX
Go back-n protocol
bySTEFFY D
 
PPT
Floor planning ppt
byThrinadh Komatipalli
 
PPT
TCP/IP Network ppt
byextraganesh
 
PPTX
Bridge
byMadhushree Ghosh
 
PPTX
Mesh topology
bycoolsdq
 
PPTX
Real time Operating System
byTech_MX
 
PDF
MPLS Presentation
byUnni Kannan VijayaKumar
 
PPTX
Flip Chip technology
byMantra VLSI
 
PPT
ISDN
bySingh_Trn
 
PPTX
Query processing and Query Optimization
byNiraj Gandha
 
PPTX
Pstn (Public Switched Telephone Networks)
byrahuldaredia21
 
Icon based visualization techniques
byWafaQKhan
 
Routing protocols
byrajshreemuthiah
 
Basics Of Networking (Overview)
byashiesh0007
 
Packet tracer practical guide
byNishant Gandhi
 
Lecture24
byDr Sandeep Kumar Poonia
 
Introduction to Real-Time Operating Systems
bycoolmirza143
 
MPLS - Multiprotocol Label Switching
byPeter R. Egli
 
Routing Presentation
byMohsin Ali
 
IPv4 Addressing
byTheGodfather HA
 
Go back-n protocol
bySTEFFY D
 
Floor planning ppt
byThrinadh Komatipalli
 
TCP/IP Network ppt
byextraganesh
 
Bridge
byMadhushree Ghosh
 
Mesh topology
bycoolsdq
 
Real time Operating System
byTech_MX
 
MPLS Presentation
byUnni Kannan VijayaKumar
 
Flip Chip technology
byMantra VLSI
 
ISDN
bySingh_Trn
 
Query processing and Query Optimization
byNiraj Gandha
 
Pstn (Public Switched Telephone Networks)
byrahuldaredia21
 

Viewers also liked

PPTX
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
byLeonardo Nve Egea
 
PPT
Linux Based Advanced Routing with Firewall and Traffic Control
bysandy_vasan
 
PPT
Tunnel & vpn1
byariesubagyo
 
PDF
IP Routing Tutorial
byShortestPathFirst
 
PDF
Mikrotik load balansing
byКирилл Кекер
 
PDF
DNS rehabilitation Concept
byAlenamudr
 
PDF
Presentation on Domain Name System
byChinmay Joshi
 
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
byLeonardo Nve Egea
 
Linux Based Advanced Routing with Firewall and Traffic Control
bysandy_vasan
 
Tunnel & vpn1
byariesubagyo
 
IP Routing Tutorial
byShortestPathFirst
 
Mikrotik load balansing
byКирилл Кекер
 
DNS rehabilitation Concept
byAlenamudr
 
Presentation on Domain Name System
byChinmay Joshi
 

Similar to Netscreen Policy Based Routing

DOC
How to configure pbr (policy based routing)
byLirouter Li
 
PDF
Policy Based Routing (PBR) on Mikrotik
byGLC Networks
 
PDF
Pbroute
byneillien
 
PPTX
MTCNA Show.pptx
byahmedraed19
 
PPTX
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
byAPNIC
 
PDF
Sdwan webinar
bypmohapat
 
PDF
66 pfsense tutorial
byequinonesr
 
PDF
The benefit of BGP for every service provider
byThomas Mangin
 
PDF
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
byMultapplied Networks
 
PDF
mikrotik router two wan load-balancing.pdf
bydeukaion0611
 
PDF
ROUTERCONFIGURATION BOARD................
bycomptesarr
 
PDF
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
byNetgate
 
PDF
class12_Networking2
byT. J. Saotome
 
PPTX
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
byAPNIC
 
PPTX
IRR Tutorial and RPKI Demo
byAPNIC
 
PDF
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
byEC-Council
 
PDF
Ccie service provider preparation guide
bypavel
 
PDF
Lartc
bygobed
 
PDF
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
byNetgate
 
PDF
Policy Based Routing (PBR)
byKHNOG
 
How to configure pbr (policy based routing)
byLirouter Li
 
Policy Based Routing (PBR) on Mikrotik
byGLC Networks
 
Pbroute
byneillien
 
MTCNA Show.pptx
byahmedraed19
 
Internet Routing Registry and RPKI Tutorial, by Nurul Islam Roman [APNIC 38]
byAPNIC
 
Sdwan webinar
bypmohapat
 
66 pfsense tutorial
byequinonesr
 
The benefit of BGP for every service provider
byThomas Mangin
 
Multapplied Networks - Bonding and Load Balancing together in Bonded Internet™
byMultapplied Networks
 
mikrotik router two wan load-balancing.pdf
bydeukaion0611
 
ROUTERCONFIGURATION BOARD................
bycomptesarr
 
Routed IPsec on pfSense 2.4.4 - pfSense Hangout June 2018
byNetgate
 
class12_Networking2
byT. J. Saotome
 
Internet Routing Registry Tutorial, by Nurul Islam Roman [APRICOT 2015]
byAPNIC
 
IRR Tutorial and RPKI Demo
byAPNIC
 
TakeDownCon Rocket City: Bending and Twisting Networks by Paul Coggin
byEC-Council
 
Ccie service provider preparation guide
bypavel
 
Lartc
bygobed
 
Multi-WAN on pfSense 2.3 - pfSense Hangout March 2016
byNetgate
 
Policy Based Routing (PBR)
byKHNOG
 

Recently uploaded

PDF
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
PPTX
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
PPTX
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
PPTX
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
PDF
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
PPTX
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
PPTX
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
Planning Assessment for Outcome-based Education
byAdri Jovin
 
PDF
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PPTX
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
PPTX
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
PPTX
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
PPTX
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
PDF
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
PPTX
Overview of how to Create a Model in Odoo 18
byCeline George
 
PPTX
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 
Risk management in Moroccan public hospitals_ a literature review
byMan_Ebook
 
REVISED DEFENSE MECHANISM / ADJUSTMENT MECHANISM-FINAL
byShimla
 
Expected Revenue Report In Odoo 18 CRM
byCeline George
 
4 G8_Q3_L4 (Evaluating opinion editorials for textual evidence and quality).pptx
byNorafeSahagun
 
Blood Group Incompatibility: Rh Factor and Erythroblastosis Fetalis
bySudhandraKarthi
 
Partial Correlation of Coefficient - Values of r₁₂.₃, r₂₃.₁ & r₁₃.₂
bySundar B N
 
Nursing Unit Management, patient care unit, physical layout of nursing unit,t...
byyellow4878
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
Planning Assessment for Outcome-based Education
byAdri Jovin
 
M.Sc. Nonchordates Complete Syllabus PPT | All Important Topics Covered
byKNIPSS SULTANPUR
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
Pig- piggy bank in Big Data Analytics.ppt.pptx
byVarshini M
 
The Cell & Cell Cycle-detailed structure and function of organelles.pptx
byAshish Umale
 
Basics in Phytochemistry, Extraction, Isolation methods, Characterisation etc.
byD. Y. Patil College of Pharmacy, Kolhapur.
 
UNIT 1: COMMUNICATION SKILLS, BARRIERS TO COMMUNICATION, PERSPECTIVES IN COMM...
byPOOJA KARVANDE
 
Using Charts and Tables in Presenting Data
byThelma Villaflores
 
Overview of how to Create a Model in Odoo 18
byCeline George
 
Growth & Development MILESTONES (ADOLESCENTS ).pptx
byAneetaSharma15
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Scalable-MADDPG-Based Cooperative Target Invasion for a Multi-USV System.pdf
byMan_Ebook
 

Netscreen Policy Based Routing

  • 1.
    Policy Based Routing on Juniper netscreen firewalls
  • 2.
    What? • Routing decision based on any combination of • source address • source port • destination address • destination port • Protocol • IP Type of Service
  • 3.
    Why? • Redirect allHTTP traffic via a transparent proxy server • Distribute traffic across multiple internet connections
  • 4.
  • 5.
  • 6.
    Configuration steps • ExtendedACLs • Match Groups • Action Groups • Policy • Policy Binding
  • 7.
    Extended ACL • Criteriafor matching certain traffic • Each ACL has a numeric ID • Each ACL can contain multiple matching rules
  • 8.
    Match group • Groupingof one or more extended ACLs • Has a human-readable name
  • 9.
    Action Group • Group of one or more actions to perform • Actions are routing decisions • Send to interface eth0/1 • Send to gateway 1.2.3.4 • Send to gateway 1.2.3.4 via eth0/1 • First available action is used • send to interface is available when interface status is UP • send to gateway is available when a route to that gateway exists
  • 10.
    Policy • Combines matchinggroups and action groups to make routing decisions • When there is no policy match, the regular routing tables are used
  • 11.
    Policy binding • ThePBR policy can be bound to • a virtual router • a zone • an interface • When different policies are configured on different levels, the most specific is used • Interface > Zone > Virtual router
  • 12.
    Enabling PBR • PBRneeds to be enabled individually on every inbound interface • Most people forget to do this, it is very well hidden in the WebUI
  • 13.
  • 14.
    Tips • If atfirst you don’t succeed, use the CLI, the WebUI is pretty error prone • Policies can’t be renumbered. Don’t start with policy id 1, leave some room for future policies • Keep it simple, don’t duplicate the regular routing tables in PBR
  • 15.
    Cross-VR PBR • PBRis restricted to a single virtual router • But there is a trick • Create an action group with only a gateway IP, no interface • Create a /32 route for the gateway IP • Details: http://kb.juniper.net/KB9017
  • 16.
    Bypassing PBR • Usecase: Redirect all HTTP traffic to a proxy, except for the traffic originating from that proxy • There is no “do nothing” action group • An action group always requires at least one action (in NSM) • Solution: route to an interface that is always down, like vlan1.
  • 17.
  • 18.
    Multiple ISPs • Setup: • eth0/0 : Symmetric 2mbit connection for business traffic (default route) • eth0/1 : Assymetric 20mbit DSL connection for web traffic (PBR) • eth0/2 : Internal network
  • 19.
    Multiple ISPs set vroutertrust-vr set access-list extended 1 dst-port 80-80 protocol tcp entry 10 set access-list extended 1 dst-port 443-443 protocol tcp entry 15 set match-group name http_traffic set match-group http_traffic ext-acl 1 match-entry 10 set action-group route_dsl set action-group route_dsl next-interface eth0/1 next-hop 1.2.3.4 action-entry 10 set pbr policy trust-policy set pbr policy trust-policy match-group http_traffic action-group route_dsl 10 set pbr trust-policy set interface ethernet0/2 pbr exit
  • 20.
    Transparent Proxy • Setup: • eth0/0 : Untrust zone • eth0/1 : Proxy zone • eth0/2 : Trust zone
  • 21.
    Transparent Proxy set vroutertrust-vr set access-list extended 1 dst-port 80-80 protocol tcp entry 10 set match-group name http_traffic set match-group http_traffic ext-acl 1 match-entry 10 set action-group route_proxy set action-group route_proxy next-interface eth0/1 next-hop 1.2.3.4 action-entry 10 set pbr policy trust-policy set pbr policy trust-policy match-group http_traffic action-group route_proxy 10 set pbr trust-policy set interface ethernet0/2 pbr exit set policy from Trust to Proxy any any HTTP permit
  • 22.