4 Replies Latest reply on Oct 20, 2010 4:58 PM by mgb2

    Policy route not working

      On our SG720, we have our internal network, plus two internet connections.  One is a T-1, which is set as our preferred gateway.  The other is a DSL line, which is not set as preferred.  We want our default traffic to go via the T-1, which it does.  I want web browsing to go out via DSL. 

       

      I set up a policy route of type 'forward' for internal network traffic to any destination, of type 'web' to use the DSL gateway port.  But watching packet captures, this traffic continues to go out through the T-1.

       

      BTW, I have another policy route in place for a third connection that routes based on the destination address, and it works fine. 

        • 1. Re: Policy route not working

          If the access control proxy is activated, you will need a rule of type OUTPUT

          • 2. Re: Policy route not working

            I turned off Access Control, but it didn't seem to make any difference.  I also changed the rule to an OUTPUT type, with no luck.

            • 3. Re: Policy route not working

              I can think of any other reason this will fail without seeing some further diagnostics.

               

              Are you able to conact support and provie them with the diagnostics ?

              • 4. Re: Policy route not working

                After a little more digging, I discovered a few more items of interest.

                 

                1)  I had an error in my route configuration, which prevented it from working even when access control was turned off.  I corrected that, and was able to create a policy for HTTP traffic that works with access control off. 

                 

                2)  The only routing policies that don't work correctly with access control turned on are for HTTP traffic.  It appears that Access Control operates before policy routes, and as I had enabled access control and the web protection service, the traffic was being sent out to the web protection service proxy directly.

                 

                That led to a sudden realization that the web protection service was being accessed on port 8080.  I added that to my policy route, and it all appears to be working.