Intrusion Prevention
Highlighted
Intrusion Prevention

IPS Clustering

‎10-13-2018 09:11 PM

Dear Sir,

I am beginer in Juniper.I would lke to know how to clustering IPS devices.

I want to use SRX 1500 as IPS device.

i have experience in SRX 340 clustering.

But i don't know how to cluster IPS.And I don't want to change my network design and IP addressing.

I mean in firewalls,i can use transparent mode for my design.i don't i can't use or not tranparent is support in IPS .

Please help me  and explain or if can i get reference links,please provide me.

5 REPLIES
Intrusion Prevention

Re: IPS Clustering

‎10-15-2018 01:39 AM

Hello,

 

I do not think SRX340 and SRX1500 chassis clustering and IDP support has any difference.

I also came across few instances where SRX1500 cluster was configured in transparent mode.

 

Regards,

 

Rushi

Intrusion Prevention

Re: IPS Clustering

‎10-18-2018 04:52 PM
II try to HA with tranparent mode,it us not wworking..Bridge command canot typed.May I know do you have any sample or link,please share me.
Intrusion Prevention
Solution
Accepted by topic author aungzawtun
‎10-21-2018 11:27 PM

Re: IPS Clustering

‎10-18-2018 05:54 PM

Yes, there are a number of feature restrictions in the various chassis cluster modes.  One of them is that bridge domains cannot be used in transparent mode chassis cluster. 

This is listed at the top of page 46 in the detailed  Chassis Cluster feature guide.

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/securi...

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Intrusion Prevention

Re: IPS Clustering

‎10-21-2018 10:54 PM

Hi,

i would like to create IPS HA active acitive (in tranparent mode) for two router.

Please see i prepare below configuration. It is correct or not ?

 

 

user@host> set chassis cluster cluster-id 1 node 0 reboot
user@host> set chassis cluster cluster-id 1 node 1 reboot

Management Port and Hostname0
set groups node0 system host-name IPS1
set groups node0 interfaces fxp0 unit 0 family inet address 1.1.1.1/24
set groups node1 system host-name IPS2
set groups node1 interfaces fxp0 unit 0 family inet address 1.1.1.2/24
set apply-groups “${node }”
commit

user@host# show groups
user@host# show apply-groups
user@host> show interfaces terse | match fxp0

Control Link-Ge 0/0/1

show chassis cluster control-plane statistics
clear chassis cluster control-plane statistics
Fabric Link –ANY Ge Link –ge 0/0/0
user@host# set interfaces fab0 fabric-options member-interfaces ge-0/0/11
user@host# set interfaces fab1 fabric-options member-interfaces ge-7/0/11

show interfaces
user@host> show interfaces terse | match fab
user@host> show configuration groups node0 interfaces
user@host> show chassis cluster data-plane interfaces
user@host> clear chassis cluster data-plane statistics

Cluster Redundant Group
set chassis cluster reth-count 8
user@host# set chassis cluster redundancy-group 0 node 0 priority 100
user@host# set chassis cluster redundancy-group 0 node 1 priority 1
user@host# set chassis cluster redundancy-group 1 node 0 priority 100
user@host# set chassis cluster redundancy-group 1 node 1 priority 1
user@host# set chassis cluster redundancy-group 2 node 0 priority 1
user@host# set chassis cluster redundancy-group 2 node 1 priority 100

user@host# set chassis cluster redundancy-group 1 preempt
user@host# set chassis cluster redundancy-group 1 gratuitous-arp-count 4

Redundant Interface
set security zones security-zone outside
set security zones security-zone inside
set security zones security-zone MGMT
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-7/0/0 gigether-options redundant-parent reth0
set interfaces reth0 redundant-ether-options redundancy-group 1

set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-7/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1

set interfaces ge-0/0/2 gigether-options redundant-parent reth2
set interfaces ge-7/0/2 gigether-options redundant-parent reth2
set interfaces reth2 redundant-ether-options redundancy-group 2

set interfaces ge-0/0/3 gigether-options redundant-parent reth3
set interfaces ge-7/0/3 gigether-options redundant-parent reth3
set interfaces reth1 redundant-ether-options redundancy-group 2



set interfaces reth0 unit 0 family Ethernet-switching vlan member vlan-10
set interfaces reth1 unit 0 family ehternet-switching vlan member vlan-10
set interfaces reth2 unit 0 family ehternet-switching vlan member vlan-20
set interfaces reth3 unit 0 family ehternet-switching vlan member vlan-20
set security zones security-zone outside interfaces reth0
set security zones security-zone outside interfaces reth2
set security zones security-zone inside interfaces reth1
set security zones security-zone inside interfaces reth3

 

Intrusion Prevention

Re: IPS Clustering

‎10-27-2018 07:10 AM

I haven't done layer two zones in a while so I don't have the details handy.  But the security zone assignments are by subinterface so these need to include the dot and unit number.

set security zones security-zone outside interfaces reth0
set security zones security-zone outside interfaces reth2
set security zones security-zone inside interfaces reth1
set security zones security-zone inside interfaces reth3

And of course the vlans need to be configured.

And the reth ports placed in trunk mode.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home