vSRX
Highlighted
vSRX

Juniper vsrx : Redirecting https and https traffic to Bluecoat proxysg

‎08-11-2019 11:42 AM

 

I am planning to implement transparent proxy. I have a two interfaces defined on firewall. (ge-0/0/5 & ge-0/0/6). All user traffic is coming on ge-0/0/6 from a diferrent firewall which has rules already) . The Symantec/ Bluecoat Proxy will be in ge/0/0/5.

Can you guide me how to implement transparent proxy so any internet traffic(HTTP, HTTPS) get redirected to the proxy server.

There is already rules to permit traffic from and to the bluecoat proxy

I have already created firewall filter ( FBF )  but it does not work

======================================

 

set firewall filter REDIRECT term Port-80-443 from source-address 10.196.248.0/24
set firewall filter REDIRECT term Port-80-443 from destination-port 80
set firewall filter REDIRECT term Port-80-443 from destination-port 443
set firewall filter REDIRECT term Port-80-443 from destination-port 8080
set firewall filter REDIRECT term Port-80-443 from destination-port 8801
set firewall filter REDIRECT term Port-80-443 from destination-port 442
set firewall filter REDIRECT term Port-80-443 then log
set firewall filter REDIRECT term Port-80-443 then accept
set firewall filter REDIRECT term default then accept
set routing-instances VR1 instance-type virtual-router
set routing-instances VR1 interface ge-0/0/0.0
set routing-instances VR1 interface ge-0/0/1.0
set routing-instances VR1 interface ge-0/0/2.0
set routing-instances VR1 interface ge-0/0/8.0
set routing-instances VR1 routing-options static route 0.0.0.0/0 next-hop 10.196.0.254
set routing-instances VR2 instance-type virtual-router
set routing-instances VR2 interface ge-0/0/3.0
set routing-instances VR2 interface ge-0/0/4.0
set routing-instances VR2 interface ge-0/0/5.0
set routing-instances VR2 interface ge-0/0/6.0
set routing-instances VR2 interface ge-0/0/7.0
set routing-instances VR2 routing-options static route 10.196.248.0/24 next-hop 10.196.25.2
set routing-instances VR3 instance-type forwarding
set routing-instances VR3 routing-options static route 0.0.0.0/0 next-hop 10.196.20.200


Would this be the best way of doing this and what do I need to add ?
==================================================================

set interfaces ge-0/0/5 gratuitous-arp-reply
set interfaces ge-0/0/5 unit 0 arp-resp unrestricted
set interfaces ge-0/0/5 unit 0 family inet address 10.196.20.1/24
set interfaces ge-0/0/6 gratuitous-arp-reply
set interfaces ge-0/0/6 unit 0 arp-resp unrestricted
set interfaces ge-0/0/6 unit 0 family inet filter input PROXY-REDIRECT
set interfaces ge-0/0/6 unit 0 family inet address 10.196.25.1/24


set security nat destination pool Proxy address 10.196.20.200/32
set security nat destination pool Proxy address port 8080
set security nat destination pool Proxy address port 80
set security nat destination pool Proxy address port 443

set security nat destination rule-set Corporate_Network from interface ge-0/0/6
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-address 0.0.0.0/0
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 80
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 443
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 8080
set security nat destination rule-set Corporate_Network rule proxy_rule then destination-nat pool Proxy

 

Thank for your reply in advance

4 REPLIES 4
vSRX

Re: Juniper vsrx : Redirecting https and https traffic to Bluecoat proxysg

‎08-11-2019 06:47 PM

You have to mention the routing-instance in Filter configuration. Please go through this KB for more details:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21046&cat=SRX_3600&actp=LIST

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Juniper vsrx : Redirecting https and https traffic to Bluecoat proxysg

‎08-12-2019 12:46 AM

Hi Nellika

 

I have already set that up already

 

show configuration firewall filter PROXY-REDIRECT | display set
set firewall filter PROXY-REDIRECT term Port-80-443 from source-address 10.196.248.0/24
set firewall filter PROXY-REDIRECT term Port-80-443 from destination-port 80
set firewall filter PROXY-REDIRECT term Port-80-443 from destination-port 443
set firewall filter PROXY-REDIRECT term Port-80-443 from destination-port 8080
set firewall filter PROXY-REDIRECT term Port-80-443 from destination-port 8801
set firewall filter PROXY-REDIRECT term Port-80-443 from destination-port 442
set firewall filter PROXY-REDIRECT term Port-80-443 then log
set firewall filter PROXY-REDIRECT term Port-80-443 then routing-instance VR3
set firewall filter PROXY-REDIRECT term default then accept

 

I have some questions

 

  1. Do I need to perform destination NAT on anything coming from the 10.196.248 network ?
  2. The routing statement to send the HTTPS traffic to the Bluecoat proxy is

          set routing-instances VR3 routing-options static route 0.0.0.0/0 next-hop 10.196.20.200

         The address 10.196.20.200  is the bluecoat address . Is this correct ?

    

Thanks for your reply so far ..

  

 

vSRX

Re: Juniper vsrx : Redirecting https and https traffic to Bluecoat proxysg

‎08-12-2019 01:46 AM

Answer to your questions:

1. There is no need to configure destnation nat. You have to configure source nat for the Proxy Server (Refer nat secion in KB)

2. Yes, next hop address is the ip address of the Proxy server

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Juniper vsrx : Redirecting https and https traffic to Bluecoat proxysg

‎08-15-2019 05:38 AM

Hi Nellika

Is this nat statement correct ?

 

set security nat destination pool Proxy address 10.196.20.200/32
set security nat destination pool Proxy address port 8080
set security nat destination pool Proxy address port 80
set security nat destination pool Proxy address port 443

set security nat destination rule-set Corporate_Network from interface ge-0/0/6
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-address 0.0.0.0/0
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 80
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 443
set security nat destination rule-set Corporate_Network rule proxy_rule match destination-port 8080
set security nat destination rule-set Corporate_Network rule proxy_rule then destination-nat pool Proxy