I am a new network engineer, and very new to Juniper and firewalls. My company is a small service provider for satellite data transmissions. Basically we provide phone/data service to remote users and have a gateway to the internet. Here is the challenge: We are deviding our network such that managing commercial customers and government-related customers will have increasing separation. We have 2 different customer management systems, and each needs to be able to create limited firewall rules for each customer. Currently we have only Netscreen204s in service, and some of our customers have a VPN to those firewalls so that after rules are applied, then that customer's traffic goes to that VPN destination. What we want to do is add 2 HA SRX240s that would only handle traffic for certain IP ranges, but still be able to have VPN to them. Basically, we would split traffic, with certain IP addresses going to one FW, certain IP addresses going to the other. Both firewalls are currenly in the same VLAN, but only the Netscreens are in production.
Is there any simple way to handle this with policy or simple routing? I'm not real sure.
I would use two reth interfaces per zone, so you will have an active - active, and you will be able to select in multiple ways how would you like to handle the traffic.
I was not quite sure how do you have configure your network now, but as far as I can see you should be able to do what you want.
I think that my real question is the second part of what you are saying--how to handle the traffic. I have Reth interfaces in two different VLANs, because the way that the traffic flows (from attachment) is in from the top SRX VPN devices "bganap", then into the cfw devices, where some of the traffic is inspected (special cases), then to the bottom FWs (which are the new SRX devices in question).
SRX & Netscreens all are in the same VLANs.
Then from there out to the internet. So those FWs at the bottom are going to need to be running with Netscreens (not shown), and since I inherited this network, but have to upgrade to separate the traffic, handleing the traffic is what I don't have clear in my mind.
How would I keep the Netscreens inspecting only one group of IPs and the SRXs another without interfering with each other. I guess I'm looking for some possible config options.
As far as zones, we have two: land and satellite. The satellite side is our customer base, land takes them out to the internet.
From what i understanding your problem can be solve using FBF (Filter Base Forwarding) or in Cisco term PBR (Policy Based Route).