This is a reminder for me where to find the commands because there is a bug in the web gui that means whenever you try to apply an action-group it will implement it with a next-hop address and next-hop interface which means it doesn’t work!


From the CLI:

Enable PBR for the ingress interface under the VR using the following commands:

set vr trust
set interface <interface> pbr

Now the issue was where do I apply the below valid configuration? The answer turned out to be fairly simple. It also needs to be set under the “set vr trust” command. Once you type this command it will set the shell in “(trust-vr)(M)->” mode. Once you are in that mode you will have the option to get pbr configuration and of course set pbr configuration as the below valid config.

set vr trust

Example of a valid PBR configuration:

set access-list extended 10 src-ip X.X.X.X/32 entry 1
set match-group name test
set match-group match ext-acl 10 match-entry 1
set action-group name pbr_to_dmz
set action-group pbr_to_dmz next-hop X.XX.X.XX action-entry 1
set pbr policy name pbr_policy
set pbr policy pbr_policy match-group test action-group pbr_to_dmz 1
set interface ethernet2/4 pbr pbr_policy
set zone Trust pbr pbr_policy
ScreenOS Policy-Based Routing Commands Software Version
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.