SRX Services Gateway
Reply
Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

AppSecure in SRX240H

Hello Everyone,

 

I believe that the AppSecure feature in the SRX firewalls is a game changing for Juniper.

 

However, I can not seem to get it working properly, especially with Skype, Ultraserve, and Hotshield. Did anyone come across such implementation and succeded?

 

Also, can I create a custom application signature? How to do so if possible?

 

Thanks in advance :smileyhappy:

 

Khaled
Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

Re: AppSecure in SRX240H

Guys! Any help will be appreciated!!!

Khaled
Recognized Expert
ronf
Posts: 251
Registered: ‎04-04-2011
0

Re: AppSecure in SRX240H

This feature is pretty new to the smaller line of SRX firewalls. I would be surprised if it worked very well yet. Juniper is pretty far behind on the application firewall features on the smaller products. I believe they will catch-up and have a good product, but I would not use it in a production environment yet. Ron
JNCIE-SEC #127
Contributor
Hedia
Posts: 93
Registered: ‎05-28-2008
0

Re: AppSecure in SRX240H

Hello,

 

Keep dreaming of you want the same feature set like Palo Alto in this area...

 

PS : It seems that Juniper put AppSecure on top of IDP which is already a nightmare. 

PS : As far as I kown, Appsecure is NOT supported on low end (including SRX 240) platform.

 

Hegards,

 

Hedi

Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

Re: AppSecure in SRX240H

Thank you very much Ron for your reply. I was actually able to block http and ftp ONLY, which is surprising that Juniper would make such a fuzz out of something that is not working properly! Do you know if the AppSecure works properly on the Highend models (1400, 3000s, and 5000s)?

 

Khaled
Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

Re: AppSecure in SRX240H

Hedia,

 

That is very frustrating man, but AppSecure is "officially" supported on the branch models (100, 200, 500, 600s), it is on the pricelist and they issued a datasheet for it too (http://www.juniper.net/elqNow/elqRedir.htm?ref=http://www.juniper.net/us/en/local/pdf/datasheets/100...

 

Thanks anyway...

Khaled
Contributor
Hedia
Posts: 93
Registered: ‎05-28-2008
0

Re: AppSecure in SRX240H

Hello,

You are right ! After playing with Srx with more than 2 years (opening more tickets than all the brand together), I give up with this platform...
By the way, ALL my PA firewalls are able to block ALL kind of traffic on ANY port number...
It seems that you CANNOT speak bout the same story...

Regards,

Hedi
Contributor
jspanitz
Posts: 216
Registered: ‎08-02-2011
0

Re: AppSecure in SRX240H


khaled.kamal wrote:

I was actually able to block http and ftp ONLY

 



Can you elaborate?  Do you mean all the AppFW policies only work on port 80 and 21?  We are looking at the SRX line and at this point we are getting very gunshy as it seems everyone here hates them.  I've seen only a fwe positive responses and it's only when you are doing basic port firewalling.  We've got that now with our ASAs.

 

Our initial thoughts were keeping SSL VPN, NAC and Firewall all Juniper would allow us to do some really slick rules across devices, but now I am thinking SSL VPN and NAC may be the limit of what we want to integrate. 

Recognized Expert
ronf
Posts: 251
Registered: ‎04-04-2011
0

Re: AppSecure in SRX240H

In the application firewalling department, Palo Alto is certainly king. I do still like the SRX for standard port-based firewalling, and as an IPSec VPN platform. With the ability to do multiple routing-instances, plenty of interfaces, and a great CLI, they do make a nice platform for some applications. Ron
JNCIE-SEC #127
Contributor
khaled.kamal
Posts: 12
Registered: ‎01-13-2012
0

Re: AppSecure in SRX240H


jspanitz wrote:

khaled.kamal wrote:

I was actually able to block http and ftp ONLY

 



Can you elaborate?  Do you mean all the AppFW policies only work on port 80 and 21?

 



I mean when I apply AppFW on "Junos-http" or "Junos-ftp" it actually blocks all the http and all the ftp traffic. However, any other application block rule does not block that specific application. For example and this is really basic, blocking the video streaming does not work. Blocking the "Skype" also does not work...!!!

 

I can't believe that this is it for Juniper, how can I buy AppSecure license and not get my money value for that!!!!

 

I have been trying Cyberoam for Application blocking, and it is surprisingly working just fine till now! Did anyone tried Cyberoam?

 

Khaled
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.