SRX Services Gateway
Highlighted
SRX Services Gateway

Security policy place

‎11-19-2019 10:56 PM

Hi all,

 

We have SRX_Main in main datacenter and SRX_Backup in backup datacenter.

Traffic form branches to backup datacenter goes through main datacenter - Branch router -> SRX_Main -> SRX_Backup.

In that case where is right place to put firewall policies (SRX_Main or SRX_Backup), when dsestination is in backup datacenter ?

 

Thanks

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Security policy place

‎11-19-2019 11:30 PM

Hi Harut,

 

I believe that ideally the branch router should connect to the Main SRX and the Backup SRX separately. If the branch router connects to the backup SRX via the Main SRX, what would happen if the Main SRX malfuntions? You will lose connectivity to the backup SRX. Anyways, thats just my humble opinion.

 

Regarding your question:

 

I will go with Main SRX, this way you will filter/block non-desired traffic upfront. Besides, if you decide not to filter the traffic on the Main SRX and leave this task to the Backup SRX, the traffic will still need to be processed by a security-policy on the Main SRX (a sec-policy that will be permitting all the traffic).

 

Security-wise: non-desired traffic to be filtered as soon as possible.

Processing-wise: It makes no difference to the Main SRX, it will have process the traffic via security policies even if you deside to filter the traffic on the backup SRX.

 

I really hope this opinion helps you. Please mark my comment as "Solution" if it applies.

 

 

 

Highlighted
SRX Services Gateway

Re: Security policy place

‎11-20-2019 01:16 PM

I agree with @lpaniagua

 

Please mark my answer as the Solution if it applies.
Highlighted
SRX Services Gateway

Re: Security policy place

‎11-20-2019 07:28 PM

You need security policies in both. Traffic is not allowed from one interface to another without being allowed by a policy. 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Feedback