SRX

Hi all, I need to configure multiple branch offices to send all web traffic over a GRE tunnel for web filtering. I understand the basics of a GRE tunnel, and generically putting it in a zone, etc. What I am wondering is, how the best way to select that port 80 traffic.

 Is it best practice to put the GRE interface into a routing-instance? similar to this example: example: KB24592

 EG:

after creating gre, and putting it in untrust zone,

{primary:node1}[edit security policies from-zone trust to-zone untrust]
policy WEB-inspection {
    match {
        source-address Entire_Office_net;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}

create the following:

{primary:node1}[edit firewall]

filter WEB-inspection {
    term mgmt-allow {
        from {
            destination-address {
                10.50.1.10/24;
            }
        }
        then accept;
    }
    term INSPECT {
        from {
            destination-port 80;
        }
        then {
            routing-instance WEB-inspection;
        }
    }
    term default {
        then {
            routing-instance default;
        }
    }
}

{primary:node1}[edit routing-instances]
root@SRX2-Corp# show
WEB-inspection {
 instance-type forwarding;
 routing-options {
 static {
 route 0.0.0.0/0 next-hop gr-0/0/0.0;
 }
 }
}

Am I on the right track, am I missing something, or is there another way to skin this cat?

Thank you in advance.

Hi,

Yep you are on the right track. You are using the routing instance to do the selective forwarding FBF (Filter based forwarding)

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

You will also need to do a RIB copy, I am not sure if you have that in the configuration or not. Take a look at the FBF kb and if you have trouble come back.

Tim

Right, so to confirm, I think I'd do something like this:

(thanks in advance)

interface gr-0/0/0
	unit 0 {
		tunnel {
			source W.A.N.IP;
			destination X.X.X.X;
	}
	family inet;
}	


reth2 {                                 
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input WEB-inspection;
            }
            address 10.50.1.10/24;
        }
    }
}

edit security policy from-zone trust to-zone untrust

policy WEB-inspection {
    match {
        source-address Entire_Office;
        destination-address any;
        application junos-http;
    }
    then {
        permit;
    }
}

rib-groups {
    tables {
        import-rib [ inet.0 ISP2.inet.0 ISP1.inet.0 WEB-inspection.inet.0 ];
    }

routing-instance

WEB-inspection {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop gr-0/0/0.0;
        }
    }
}

filter WEB-inspection {
    term mgmt-allow {
        from {
            destination-address {
                10.50.1.10/32;
            }
        }
        then accept;
    }
    term INSPECT {
        from {
            protocol 6;                           
            destination-port [ 80 443 ];
        }
        then {
            routing-instance WEB-inspection;
        }
    }
    term default {
        then {
            routing-instance default;
        }
    }
}

Remove ISP2.inet.0 and ISP1.inet.0 as you are not defining those tables, you just need the WEB-inspection one.

Also apply the rib group to the interface-routes

routing-options {
    interface-routes {
        rib-group inet tables;
    }
}

Tim

The only thing is that those two tables are already there, for a different reason. That shouldn't conflict, will it?

The interface routes in inet.0 will be copied to all the tables. I do not see it causing a problem but I can't confirm as I do not have visibility of the other configuration items.

Tim

Right. I follow. Thanks all for the verification.