Intrusion Prevention

  • 1.  IPS Clustering

    Posted 10-13-2018 21:11

    Dear Sir,

    I am beginer in Juniper.I would lke to know how to clustering IPS devices.

    I want to use SRX 1500 as IPS device.

    i have experience in SRX 340 clustering.

    But i don't know how to cluster IPS.And I don't want to change my network design and IP addressing.

    I mean in firewalls,i can use transparent mode for my design.i don't i can't use or not tranparent is support in IPS .

    Please help me  and explain or if can i get reference links,please provide me.



  • 2.  RE: IPS Clustering

     
    Posted 10-15-2018 01:39

    Hello,

     

    I do not think SRX340 and SRX1500 chassis clustering and IDP support has any difference.

    I also came across few instances where SRX1500 cluster was configured in transparent mode.

     

    Regards,

     

    Rushi



  • 3.  RE: IPS Clustering

    Posted 10-18-2018 16:53
    II try to HA with tranparent mode,it us not wworking..Bridge command canot typed.May I know do you have any sample or link,please share me.


  • 4.  RE: IPS Clustering
    Best Answer

    Posted 10-18-2018 17:55

    Yes, there are a number of feature restrictions in the various chassis cluster modes.  One of them is that bridge domains cannot be used in transparent mode chassis cluster. 

    This is listed at the top of page 46 in the detailed  Chassis Cluster feature guide.

    https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-chassis-cluster.pdf

     

     



  • 5.  RE: IPS Clustering

    Posted 10-21-2018 22:54

    Hi,

    i would like to create IPS HA active acitive (in tranparent mode) for two router.

    Please see i prepare below configuration. It is correct or not ?

     

     

    user@host> set chassis cluster cluster-id 1 node 0 reboot
    user@host> set chassis cluster cluster-id 1 node 1 reboot

    Management Port and Hostname0
    set groups node0 system host-name IPS1
    set groups node0 interfaces fxp0 unit 0 family inet address 1.1.1.1/24
    set groups node1 system host-name IPS2
    set groups node1 interfaces fxp0 unit 0 family inet address 1.1.1.2/24
    set apply-groups “${node }”
    commit

    user@host# show groups
    user@host# show apply-groups
    user@host> show interfaces terse | match fxp0

    Control Link-Ge 0/0/1

    show chassis cluster control-plane statistics
    clear chassis cluster control-plane statistics
    Fabric Link –ANY Ge Link –ge 0/0/0
    user@host# set interfaces fab0 fabric-options member-interfaces ge-0/0/11
    user@host# set interfaces fab1 fabric-options member-interfaces ge-7/0/11

    show interfaces
    user@host> show interfaces terse | match fab
    user@host> show configuration groups node0 interfaces
    user@host> show chassis cluster data-plane interfaces
    user@host> clear chassis cluster data-plane statistics

    Cluster Redundant Group
    set chassis cluster reth-count 8
    user@host# set chassis cluster redundancy-group 0 node 0 priority 100
    user@host# set chassis cluster redundancy-group 0 node 1 priority 1
    user@host# set chassis cluster redundancy-group 1 node 0 priority 100
    user@host# set chassis cluster redundancy-group 1 node 1 priority 1
    user@host# set chassis cluster redundancy-group 2 node 0 priority 1
    user@host# set chassis cluster redundancy-group 2 node 1 priority 100

    user@host# set chassis cluster redundancy-group 1 preempt
    user@host# set chassis cluster redundancy-group 1 gratuitous-arp-count 4

    Redundant Interface
    set security zones security-zone outside
    set security zones security-zone inside
    set security zones security-zone MGMT
    set interfaces ge-0/0/0 gigether-options redundant-parent reth0
    set interfaces ge-7/0/0 gigether-options redundant-parent reth0
    set interfaces reth0 redundant-ether-options redundancy-group 1

    set interfaces ge-0/0/1 gigether-options redundant-parent reth1
    set interfaces ge-7/0/1 gigether-options redundant-parent reth1
    set interfaces reth1 redundant-ether-options redundancy-group 1

    set interfaces ge-0/0/2 gigether-options redundant-parent reth2
    set interfaces ge-7/0/2 gigether-options redundant-parent reth2
    set interfaces reth2 redundant-ether-options redundancy-group 2

    set interfaces ge-0/0/3 gigether-options redundant-parent reth3
    set interfaces ge-7/0/3 gigether-options redundant-parent reth3
    set interfaces reth1 redundant-ether-options redundancy-group 2



    set interfaces reth0 unit 0 family Ethernet-switching vlan member vlan-10
    set interfaces reth1 unit 0 family ehternet-switching vlan member vlan-10
    set interfaces reth2 unit 0 family ehternet-switching vlan member vlan-20
    set interfaces reth3 unit 0 family ehternet-switching vlan member vlan-20
    set security zones security-zone outside interfaces reth0
    set security zones security-zone outside interfaces reth2
    set security zones security-zone inside interfaces reth1
    set security zones security-zone inside interfaces reth3

     



  • 6.  RE: IPS Clustering

    Posted 10-27-2018 07:11

    I haven't done layer two zones in a while so I don't have the details handy.  But the security zone assignments are by subinterface so these need to include the dot and unit number.

    set security zones security-zone outside interfaces reth0
    set security zones security-zone outside interfaces reth2
    set security zones security-zone inside interfaces reth1
    set security zones security-zone inside interfaces reth3

    And of course the vlans need to be configured.

    And the reth ports placed in trunk mode.