SRX Services Gateway
Reply
Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Policies and Filters on SRXs. Best practices.

[ Edited ]

Hi there! 

 

 We're going to replace Cisco ASA 5510 which interconnects several /24 networks in branch with several /16 networks in headquarters with Juniper SRX240 device. It also provides several NAT rules to Internet access. 

 Unlike SRX, ASA is not zone-based firewall by itself(or it is? :smileyindifferent:), so all traffic flow contol relies on access-lists only. As far as I know, SRX can control traffic flow between zones by means of security policies or by firewall filters on either ingress or egress interfaces.

 Our ASA  has at least 100 rules on a single traffic flow direction. And I wonder how to migrate those rules to Junos. My plan is to make some major security policies to control traffic between zones, and some minor  firewall filter rules for strict access control. Is that solution acceptable or there is better practice? What is the best practice of using policies and filters? Is it better to create and use only security policies no matter how huge they will be and without use of firewall filters ? Or control only by firewall filters having security policies set to permit all traffic? 

Super Contributor
colemtb
Posts: 311
Registered: ‎09-30-2009
0

Re: Policies and Filters on SRXs. Best practices.

As "I" understand it...  Firewall filters would be Packet based filtering and Policy actually gets into the flow module for First Path / Fast Path lookups that are obvioulsy session based.  I would restrict SRX access via PF and ACLs on ASA that pertain to service with policy.  Is that what your asking?  Anyways, thanks!

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: Policies and Filters on SRXs. Best practices.

[ Edited ]

Stick with the flow based policies and only add the firewall filters if you have a special case.

 

By default JUNOS will not allow traffic between zones or even between interfaces in the same zone..

 

If you connect the SRX so that each of those subnets is connected to a different interface in a different zone building the rules to allow traffic between them should be very easy.

 

You probably will not need to go down to firewall filters unless you are trying to block access to services on the firewall it self or are doing QoS/CoS type rules as they are not currently policy based.

Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: Policies and Filters on SRXs. Best practices.

 Well, I guess i should have read guideance on SRXs more carefully, especially about packet and flow processing. 

You're both are right in common thing - that pf is usually used to protect device itself, but also to some packet-based management, and that to protect interzonal communication one should use security policies.

 Packet filtering occurs right after per-packetppolicer on interface but before session lookup. So, theoretically, if i don't want to packets from some specific hosts/networks to be processed at all, i can use packet filter. It should lead to less system resource usage, shouldn't it? If that is true, this approach is quite useful, don't you think? 

 

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010

Re: Policies and Filters on SRXs. Best practices.

I don't think you will have to worry about performance levels from the flow based filters unless you have underspeced the SRX for your needs.

 

And yes, again the PF can be combined with flow based filters to protect the device, do QoS/CoS, as well as improve performance or created special types of filtering.. However day to day allow this to that type stuff is best done with polices.

Trusted Contributor
Jadmin
Posts: 28
Registered: ‎08-27-2010
0

Re: Policies and Filters on SRXs. Best practices.

Well, Thank you. Now I get a clearer understanding  of principles of using policies/filters on SRX. 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.