Product: ScreenOS
Version: 6.0 and higher
Network Topology
Two firewall interfaces configured in untrust zone. One for each internet service provider using ethernet0/0 and ethernet0/1.
Description:
You can setup a second internet service as a configured backup line for use during failure on the primary line. This utilizes interface backup and the track-ip features of ScreenOS 6. This will automatically do the failover during the outage. This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.
Configuration:
Setup the new service interface
Add the ip address and untrust zone to ethernet0/1 or setup the dhcp on this interface for the new carrier.
If this is a static configuration then add the second default route to the carrier provided address out ethernet0/1. On DHCP this route is added automatically.
Establish the backup and primary interfaces.
Web
Network–Interfaces–Backup
Select Primary interface ethernet0/0
Select Backup interface ethernet0/1
Select Track-ip
Hit Apply
CLI
set interface ethernet0/0 backup interface ethernet0/1 type track-ip
Setup Track-ip Monitoring to detect failure
Create the track-ip on interface ethernet0/0. This is an internet ip address that when this interface can no longer ping it is considered down. A good choice is the service provider DNS server for this line.
Web
Network–Interfaces–List
Edit ethernet0/0
Monitor tab
Select enable track-ip
hit apply
Hit Add Monitor track ip
Enter ip address to ping (Carrier DNS)
CLI
set interface ethernet0/0 monitor track-ip ip
set interface ethernet0/0 monitor track-ip ip 1.1.1.1
Verification:
Look at interface list and observe that primary line is up and backup interface is down Disconnect the primary interface cable and observe the change in status on the interfaces
References:
ScreenOS Concepts and Examples Guide
http://www.juniper.net/techpubs/software/screenos/screenos6.2.0/index.html
Volume 2 Fundamentals
Chapter 3 Interfaces
Configuring Backup Interfaces
Originally Posted May 22, 2011
Last Revised on May 22, 2011
Tue July 24, 2012, 06:15:39
Greetings,
I’m a network engineer in the Netherlands specialized in design and security, working for an ISP. So I got handed the following 3-part problem from a customer:
Is it possible to do a 2-ISP failover on a single SSG-5b from Juniper (yes, with the current factory version), what would I need as a configure option (either track-ip or monitor-ip) and finally, if line A goes down, is it possible to have a check on line A for x amount of time (e.g. 3 hrs) and to switch back to line A only if that line hasn’t gone down again in those 3 hrs. If that is the case, then the timecounter would be reset to 0 and start itself again with checking line A.
The first 2 parts I was able to answer quickly, but I’m a Cisco guy myself (CCNP and CCNA Sec currently), with a few bits of knowledge of the SSG-5b, SSG-140 and SRX-100, so the third part has baffled me for a couple of days now. My question(s) is(are) the following: is this at all possible, and if so, how do you configure such a failover?
Kind regards, thanks in advance.
Sivard Cardoze
DSD Automatisering BV
Deurne, The Netherlands
Sun October 27, 2013, 16:24:53
have you tteesd this? I’ve just tteesd it on WI 5.1.1 and some of the screens looks crap due to some bitmapsizes that don’t fit :-/I’ve got to try it on other WI installations to see if it’s just an accident or a bug
Thu December 18, 2014, 05:00:50
Dear Puluka,
Your tutorial works fine with my screen os ssg 140. But i am facing the issue is its not auto switch back on primary link when my primary link restored. Ultimately i have to plug out my backup link cable then its switch back on primary link. Tell me the solution i want all this auto.
Please reply me urgently. Thanks & Regards,
Kamran
Wed October 28, 2015, 21:55:35
have you teetsd this? I’ve just teetsd it on WI 5.1.1 and some of the screens looks crap due to some bitmapsizes that don’t fit :-/I’ve got to try it on other WI installations to see if it’s just an accident or a bug
Sat October 31, 2015, 05:34:05
These configurations were used in production and testing but in ScreenOS version 6.0 and above.
Not sure if this feature is in the ScreenOS 5 chain.
Steve
Hi…I trying to set SSG140 ver 6.0.0r7.0
I can set these command…..
set interface ethernet0/0 monitor track-ip ip
set interface ethernet0/0 monitor track-ip ip 1.1.1.1
But I Cannot set below command
set interface ethernet0/0 backup interface ethernet0/1 type track-ip
There is no “backup” word
How can i set?
My configs and examples are all done using ScreenOS 6.3
So I assume you would need to upgrade to use the feature.
Steve