SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Web environment management setup

    Posted 10-04-2010 20:19

    Hi there,

     

    I'm deploying 2 SRX clusters in a standard web environment.

     

    Internet -> Ext FWs -> Web Servers -> Int FWs -> Backend Servers

     

    I had initially thought I could use the fxp0 interface on a seperate management network, but it appears that the management network routes must appear in the main route table of the active SRXs which breaks our operational security.

     

    From all my reading and experimentation, it now looks like, despite my original intention to have the internal FW's non-accessible from the Internet, I'm going to need throw the fxp interface out and run management inline on a loopback, protected by a stateless firewall policy all the way through.

     

    Can people confirm that this appears to be the current best practice?

     



  • 2.  RE: Web environment management setup

    Posted 10-05-2010 11:00

    The fxp0 routes do appear in the main routing table, but that shouldn't be a problem. The SRX will not route transit traffic via that interface. Of course, the management network needs to be a real out of band network in this case.

     

    I usually configure firewall filters as many people want to be able to manage their devices in-line, but I want to restrict access to only a few source-ips. Most do have the fxp0 interfaces connected as well though so that they can be accessed more easily in case of problems.



  • 3.  RE: Web environment management setup

    Posted 10-05-2010 17:22

    Out of Band management a side.

     

    How are you supposed to do inline management on the secondary unit?

     

    This doesn't work;

     

     

    groups {
    node0 {
        system {
            host-name target-fw3;
            backup-router 116.240.200.145 destination 0.0.0.0/0;
        }
        interfaces {
            lo0 {
                unit 0 {
                    family inet {
                        address 116.240.200.155/32;
                    }
                }
            }
        }
    }
    node1 {                             
        system {
            host-name target-fw4;
            backup-router 116.240.200.145 destination 0.0.0.0/0;
        }
        interfaces {
            lo0 {
                unit 0 {
                    family inet {
                        address 116.240.200.156/32;
                    }
                }
            }
        }
    }
}

     

     

     

     



  • 4.  RE: Web environment management setup
    Best Answer

    Posted 10-06-2010 22:50

    Fxp0 is only way to directly manage secondary firewall. Lo0 interface would only ever be active on node which is primary. However, one thing you can do is to setup fxp0 on a separate private network and simply plug the fxp0 interfaces between the two nodes together. That way if you need to remotely manage the secondary you can simply log into primary and then from there SSH/telnet to secondary using fxp0 IP.

     

    -Richard



  • 5.  RE: Web environment management setup

    Posted 10-09-2010 03:18

    An easier way to hop from the primary to the secondary node is using "request routing-engine login node <ID>". No need to remember the other nodes management address or re-authenticate.