Hello,
Please find answers inline. I hope I covered everything 🙂
- Can I implement VSYS concept in SRX or I it's better to convert it to a flat design?
We can implement lsys in srx but that needs a license. If there is a reason for the vsys config on the PA, for isolation/security I suggest you retain the same.
- Seems like SRX doesn't have two separate concepts for Services and Application? In that case do I just convert the services to application in SRX?
Application in junos = service in PA
Dynamic application in junos (related to App-FW) = application in PA
Prior to 18.2R1 we had a different Security policy rule base and a different one for Application-FW. Application is used in Security policy while Dynamic-Application is used in App-FW rulebase
Good news. Starting 18.2R1 we do something called unified policy where the security policy integrates dynamic application. So the policy would look very similar to that on the PA.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/configuring-unified-policies.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/security-utm-support-within-unified-policy.html
- Not so many NAT rules and doesn't seem to be a problem
- Is there something like TAG in SRX? Not VLAN tag nor VLAN ID, just a tag for administration purposes?
SRX does not have security policy tag as in PA. If you want you can add the tag to the description of the policy that way you can search/filter using the tag.
- What's SRX's equivalent for Security Profiles in PA? I have some admin created sec profiles and the predefined default profiles from PA are being used as well. Here are the major ones:
- Antivirus - Default and defined
- Anti-Spyware - Default
- URL Filtering – Defined
We have a utm-policy in srx. This is not exactly the same as Security profile on PA, since PA security profile includes IDP policy as well if I am not wrong. You can do the above mentioned in a utm-policy
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-utm-policy.html
- I have 5 virtual routers conifgured with around 1000 only static routes on them, each plugged into some VSYSs.
- What SRX has to match the virtual routers? SRX has the concept of virtual routers too
- If I don't do VSYS in SRX, I don't think I need vRouter, right? You would need LSYS and Virtual-Router as well. Each VRouter configured within a specific LSYS
- Does SRX take the sub interfaces as good as it says here: https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-...
Yes, sub-interfaces and vlan-tagging works perfectly. If you are using a cluster you, would need to create the sub-interfaces on a reth interface
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-redundant-ethernet-interfaces.html
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html
- Does this page really take care of log forwarding to something like Splunk? https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA
Yes, this link is ok
- I have couple of hundered of site to site VPNs on PA as well, and seems like that part I figured it out already. Unless there's some thing someone has to say as heads up.
Regards,
Vikas