The use of explicit proxy in conjunction with FQDN, is a common practice in local breakout scenarios.

Below is a general example of configuring a policy route using FQDN as the destination.

1. Creation of Policy Route:

From the GUI:

• Go to Network -> Policy Routes,
• Select '+Create New'.
• Add the 'Addresses' within the 'Destination Address' field.
• Select the 'Outgoing interface'.
• Add the 'Gateway address'.
• Select 'OK' to save the changes.

From the CLI:

config router policy

    edit 1

        set dstaddr "wildcard.google.com"

        set gateway 10.111.29.254

        set output-device "port1"

    next

end

To verify the Policy Route, run 'diag firewall proute list'.

diag firewall proute list

list route policy info(vf=root):

id=1(0x01) dscp_tag=0xfc 0xfc flags=0x0 tos=0x00 tos_mask=0x00 protocol=0 port=src(0->0):dst(0->0) iif=0(any)

path(1): oif=3(port1) gwy=10.111.29.254

destination fqdn(1):

        *.google.com ID(55) ADDR(108.177.97.84)

source wildcard(1): 0.0.0.0/0.0.0.0

hit_count=3033 rule_last_used=2025-03-19 19:17:25

2. Creation of Static Route.

To utilize policy routes for explicit proxy(local out) traffic, a valid route must be present in the routing table to bind the outgoing interface (oif).

Configure a route with the same administrative distance (AD) as the existing default route but with a different priority as follows.

If there is no route entry matching the oif and dst, the connection will fail as same as network unreachable case.

This configuration is solely used for binding the interface and should be set with a lower priority value to ensure it does not affect the primary default route.

From the GUI:

• Go to Network -> Static Routes.
• Select '+Create New'.
• Select the 'Subnet' within the 'Destination' field and add '0.0.0.0/0.0.0.0'.
• Select the 'Specify' within the 'Gateway Address' field and add the gateway address.
• Open the 'Advanced Option' and change the 'Priority' from '1' to '10'.
• Select 'OK' to save the changes.

From the CLI:

config router static

    edit 10

        set gateway 10.111.29.254

        set priority 10

        set device "port1"

    next

End

With this additional default static route, it is possible to have working policy routes for explicit proxy via port1.

There is a valid route pointing to the next hop 10.111.29.254

This is necessary to route policy routes for explicit proxy via port1.

get router info routing-table all

Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP

       O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       V - BGP VPNv4

       * - candidate default

Routing table for VRF=0

S*      0.0.0.0/0 [10/0] via 172.16.101.1, port8, [1/0]

                  [10/0] via 10.111.29.254, port1, [10/0]

S       10.0.0.0/8 [10/0] via 10.111.29.254, port1, [1/0]

C       10.111.28.0/23 is directly connected, port1

C       172.16.101.0/24 is directly connected, port8