SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
john_wroblewski@del…
Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

SRX antivirus checking

Options

‎12-05-2011 11:09 AM

I have a customer that does not want to place his demo SRX 240 into his network but wants to see how the UTM policies function on the system. He has run a port mirror on one of his devices and wants to stream the mirrored traffic to the SRX

port ge-0/0/0 in the untrust zone. He would then like to see the AV, AS statistics. I have told him that the traffic would need to cross zones and run through the FW policies to indicate any suspect traffic.  Is there another way to check the security policies from a stream mirrored by another device into the SRX?

Message 1 of 6 (271 Views)
 
Reply
john_wroblewski@del…
Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

Re: SRX antivirus checking

Options

‎12-09-2011 07:34 AM

 
Message 2 of 6 (246 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010

Re: SRX antivirus checking

Options

‎12-09-2011 09:35 PM

you can use port-mirroring along with next-hop feature to handover this mirrored traffic to a directly connected demo firewall ...

demo firewall should have a routing table to ensure its traversal from one zone to another ... to ensure idp operation

regards

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 3 of 6 (235 Views)
 
Reply
vizmur
Contributor
vizmur
Posts: 19
Registered: ‎01-03-2011
0

Re: SRX antivirus checking

Options

‎12-10-2011 01:54 AM

rasmus, do you think is is really possible for such a duplicate firewall to receive packets not destined to it . any comment.
Message 4 of 6 (230 Views)
 
Reply
Recognized Expert
Recognized Expert
rasmus
Posts: 342
Registered: ‎02-28-2010

Re: SRX antivirus checking

Options

‎12-10-2011 08:08 AM

[edit forwarding-options]

port-mirroring {
    input {
        rate 1;
        run-length 10;
    }
    family inet {
        output {
            interface ge-0/0/1.0 {
                next-hop 2.2.2.1;
            }
        }
    }
}

 

SRX supports l3 packet mirroring, i.e. using "next-hop" option which bypasses local routing table lookups and forwards the mirrored traffic to any l3 device (e.g. wireshark machine or may be another SRX as required in this scenario) ...

 

ref: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21833&actp=RSS

 

regards

Hafiz Muhammad Farooq
JNCIP-SEC, JNCIS-SEC, JNCIS-FWV, JNCIS-SP, JNCIA-JUNOS
RHCE, Oracle Certified Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Message 5 of 6 (222 Views)
 
Reply
john_wroblewski@del…
Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

Re: SRX antivirus checking

Options

‎12-14-2011 08:36 AM

Hafiz, if I'm understanding this correctly this will allow a 2nd device to show various UTM statistics but not the original device where the input stream is being sent from the customer network.

 

 Thanks for the response.

 

 John

Message 6 of 6 (194 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.