SRX

Hi,

I have checked different threads related to my question but i could not find exactly what i was looking for. We have to replae a client old netscreen firewall with SSG 550 and old IDP 200 with SRX 240.

as far as i know the old IDP is in transparet mode, not much interface configuration there traffic just goes in and goes out. I am confused as to how do I use SRX 240 ONLY as IPS only. here i am seeing threads where they are using SRX both as firewall and IPS. But i want SRX 240 only to be used as IPS.

Is it possible to use SRX 240 as standalone /transparent IPS, I connect my trust cable from SSG 550 to any port on srx and another port from srx i conenct with my Core switch?? do I need to provide some Ip addresses on SRX 240 ports or its possible using transparent mode as just layer 2?

You can configure the SRX as either transparent mode or a layer 3 device using IDP.

In transparent mode you create an irb interface address within the subnet where you insert the SRX into the path.  The address is only used as a management address for the transparent SRX and does not participate in routing for the traffic.

You will place the two interfaces that face your SSG and the switch to be in zones on the SRX so that you can create your policies for the traffic inspection.

See KB16489 for the quick start outline.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16489

And KB23424 collects all the IDP related material together for reference.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23424

Thank you steve puluka, you are great.I have watched few of your videos on youtube and it was very good.

Moving forward from here, can you please please advise me on what design I should follow and what i prefer layer 2 transparent with irb interface or layer 3 assigning IP addresses to both srx interfaces??

actually the customer changed its requirement and its making hard for me..current old design only had trust and all servers in same trust zone So on new SSG i just had to create untrust and trust zone and connect my srx as IPS(in layer 3)

1)   Untrust(public address)-->SSG -->Trust(private add) ----> Untrust(priavte)--SRX --Trust(private)  ------>>Core switch

so in this above design i assigned priavte addresses and make two subnets...one between SSG trust -->Untrust SRX

and one for SRX Trust -->> core switch

but now customer saying needs DMZ also in SSG so if i pass both trust zone and dmz traffic through SRX i need to place SRX on facing internet like below scnerario 2,

2) Untrust(public address) -->SRX-->Trust(private)---->>>Untrust(private)--SSG--Trust and DMZ(private)----->> Core Switch

So in second design only the SRX untrust in public and still 2 subnets private one in srx trust and ssg untrust and other in ssg trust and core switch.

Could you please advise if I go for second design??? and if i go for second design its best to use SRX as layer 3 assigning IP addresses on its interfaces or go for the irb interface as you mentioned, i never created IRB interface so i dont know which option will be easy 🙂

Pleaase I wait for your reply.

You are correct that the second design would be necessary to see both DMZ and trust in a transparent deploy.  This deployment method would be most similar to the current IDP system that you are replacing.

If you do decide to go with a layer three design then you could move the SRX behind the SSG and scan both the DMZ and trust zones.  In this case you would use four interfaces to create routed links between the SSG and SRX and then deliver the DMZ and trust traffic to clients connected directly to the SRX.  This scenario may make public nat addresses more complicated for your DMZ hosts.

For a basic transparent mode SRX configuration see KB21421.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421

Thank you Steve,

I have finally configured the SRX as IDP in transparent mode, there was some issue with IRB interface but that is also solved now. i have integrated srx with my SSG now and will do some more testing before moving on to final migration

thanks again 🙂