SRX

Hello support community,

I'm looking for a strategy on configuring nat and security policies for groups of 10 or 15 servers at the time in a DMZ. I come from a cisco ASA background where you can create object and group servers and services that way which make for deployment easier. is there a way that I can group multiple servers with the same function into groups in JunOS? I'm going to have enough public IP addresses where I can do a one to one natting from the public IP to the private IP. Can you please provide some suggestions on this approach?

Kind regards,
Delmiro

You can do similar in Junos. You would create address book entries (objects) for each of the servers and then create and address book set and add each of the required entries to the address book set and create the polices referencing the address set instead of individual servers. If you want to also create routing polices and stateless firewal filters you can create prefix-list under policy-options and use this prefix-list with all servers added, in you policy statements or/and firewall filters.

Lyndidon, thanks so much for your explanation. Do you mind sharing couple of examples?

Here are examples of both features:

http://www.juniper.net/techpubs/en_US/junos13.3/topics/example/policy-prefix-list.html

http://www.juniper.net/techpubs/en_US/junos12.1/topics/example/zone-address-book-configuring-cli.html

For better assistance, you can show an example of your environment and specifically what you want to achieve, you can get more precise help if the above does not do it for you.

If you are thinking about rate-limiting traffic or QoS, then you may want to consider AppSecure ad CoS. If you are wanting to strictly control access to web-servers (server farm) then you can consider placing them in their own security zone and control access. That way you can strictly limit access only to Web services for example. If these are internal webservers that you want to control strict secure access to then you may consider getting a MAG series for SSL VPN. It all boils down to what exactly and how you want to exercise that control.

I think I got it... how does this look?

set security address-book global address-set rfc1918 address class_a
set security address-book global address-set rfc1918 address class_b
set security address-book global address-set rfc1918 address class_c

set security address-book global address class_a 10.0.0.0/8
set security address-book global address class_b 172.16.0.0/12
set security address-book global address class_c 192.168.0.0/16

set applications application http protocol tcp
set applications application http destination-port 80
set applications application https protocol tcp
set applications application https destination-port 443
set applications application-set web_services application http
set applications application-set web_services application https

Looks good, Junos however already has built-in http and https applications defined. If your picky you can condence your application statement a little:

set security address-book global address-set rfc1918 address class_a
set security address-book global address-set rfc1918 address class_b
set security address-book global address-set rfc1918 address class_c
set security address-book global address class_a 10.0.0.0/8
set security address-book global address class_b 172.16.0.0/12
set security address-book global address class_c 192.168.0.0/16

set applications application-set web_services application junos-http
set applications application-set web_services application junos-https

Thank you guys for your suggestions and information