Hi there,
I'm deploying 2 SRX clusters in a standard web environment.
Internet -> Ext FWs -> Web Servers -> Int FWs -> Backend Servers
I had initially thought I could use the fxp0 interface on a seperate management network, but it appears that the management network routes must appear in the main route table of the active SRXs which breaks our operational security.
From all my reading and experimentation, it now looks like, despite my original intention to have the internal FW's non-accessible from the Internet, I'm going to need throw the fxp interface out and run management inline on a loopback, protected by a stateless firewall policy all the way through.
Can people confirm that this appears to be the current best practice?