Hi all, I need to configure multiple branch offices to send all web traffic over a GRE tunnel for web filtering. I understand the basics of a GRE tunnel, and generically putting it in a zone, etc. What I am wondering is, how the best way to select that port 80 traffic.
Is it best practice to put the GRE interface into a routing-instance? similar to this example: example: KB24592
EG:
after creating gre, and putting it in untrust zone,
{primary:node1}[edit security policies from-zone trust to-zone untrust]
policy WEB-inspection {
match {
source-address Entire_Office_net;
destination-address any;
application junos-http;
}
then {
permit;
}
}
create the following:
{primary:node1}[edit firewall]
filter WEB-inspection {
term mgmt-allow {
from {
destination-address {
10.50.1.10/24;
}
}
then accept;
}
term INSPECT {
from {
destination-port 80;
}
then {
routing-instance WEB-inspection;
}
}
term default {
then {
routing-instance default;
}
}
}
{primary:node1}[edit routing-instances]
root@SRX2-Corp# show
WEB-inspection {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop gr-0/0/0.0;
}
}
}
Am I on the right track, am I missing something, or is there another way to skin this cat?
Thank you in advance.