SRX Services Gateway
Reply
Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

SRX antivirus checking

I have a customer that does not want to place his demo SRX 240 into his network but wants to see how the UTM policies function on the system. He has run a port mirror on one of his devices and wants to stream the mirrored traffic to the SRX

port ge-0/0/0 in the untrust zone. He would then like to see the AV, AS statistics. I have told him that the traffic would need to cross zones and run through the FW policies to indicate any suspect traffic.  Is there another way to check the security policies from a stream mirrored by another device into the SRX?

Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

Re: SRX antivirus checking

 
Recognized Expert
rasmus
Posts: 378
Registered: ‎02-28-2010

Re: SRX antivirus checking

you can use port-mirroring along with next-hop feature to handover this mirrored traffic to a directly connected demo firewall ...

demo firewall should have a routing table to ensure its traversal from one zone to another ... to ensure idp operation

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Contributor
vizmur
Posts: 23
Registered: ‎01-03-2011
0

Re: SRX antivirus checking

rasmus, do you think is is really possible for such a duplicate firewall to receive packets not destined to it . any comment.
Recognized Expert
rasmus
Posts: 378
Registered: ‎02-28-2010

Re: SRX antivirus checking

[edit forwarding-options]

port-mirroring {
    input {
        rate 1;
        run-length 10;
    }
    family inet {
        output {
            interface ge-0/0/1.0 {
                next-hop 2.2.2.1;
            }
        }
    }
}

 

SRX supports l3 packet mirroring, i.e. using "next-hop" option which bypasses local routing table lookups and forwards the mirrored traffic to any l3 device (e.g. wireshark machine or may be another SRX as required in this scenario) ...

 

ref: http://kb.juniper.net/InfoCenter/index?page=content&id=KB21833&actp=RSS

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Visitor
john_wroblewski@dell.com
Posts: 3
Registered: ‎04-26-2011
0

Re: SRX antivirus checking

Hafiz, if I'm understanding this correctly this will allow a 2nd device to show various UTM statistics but not the original device where the input stream is being sent from the customer network.

 

 Thanks for the response.

 

 John

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.