ScreenOS Configure Backup Internet Interface with Automatic Failover

Version: 6.0 and higher
 Network Topology:
Two firewall interfaces configured in untrust zone.  One for each internet service provider.
You can setup a second internet service as a configured backup line for use during failure on the primary line.  This utilizes interface backup and the track-ip features of ScreenOS 6.

This will automatically do the failover during the outage.

This example assumes that ethernet0/0 is the current primary interface while ethernet0/1 is the new service interface.

Setup the new service interface

Add the ip address and untrust zone to ethernet0/1 or setup the dhcp on this interface for the new carrier.


If this is a static configuration then add the second default route to the carrier provided address out ethernet0/1.  On DHCP this route is added automatically.


Establish the backup and primary interfaces.




Select Primary interface ethernet0/0

Select Backup interface ethernet0/1

Select Track-ip

Hit Apply



set interface ethernet0/0 backup interface ethernet0/1 type track-ip

Setup Track-ip Monitoring to detect failure

Create the track-ip on interface ethernet0/0.


This is an internet ip address that when this interface can no longer ping it is considered down.  A good choice is the service provider DNS server for this line.




Edit ethernet0/0

Monitor tab

Select  enable track-ip

hit apply


Hit Add Monitor track ip

Enter ip address to ping (Carrier DNS)



set interface ethernet0/0 monitor track-ip ip

set interface ethernet0/0 monitor track-ip ip


Look at interface list and observe that primary line is up and backup interface is down
Disconnect the primary interface cable and observe the change in status on the interfaces


ScreenOS Concepts and Examples Guide

Volume 2 Fundamentals
Chapter 3 Interfaces
Configuring Backup Interfaces

Categorised as: Juniper

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.