Hi Roberto,
The Dynamic address lists are updated internally by a process on the SRX device, without the need for a configuration commit. you can additionally configure the hold-interval and update-interval values, to instruct the SRX on how often it should seek updates.
There will be only one commit, which will be for the initial configuration of the dynamic-address name and feed server details.
This issue you mention would be present in the Ansible deployment, as the Ansible Server will be updating the configuration for each update.
------------------------------
GAVIN WHITE
------------------------------
Original Message:
Sent: 03-10-2023 13:02
From: Roberto
Subject: Externally managed blacklist on SRX3xx
Thanks for reply. So, each dynamic-address list update will be a separate configuration commit, right? I mean after 50 updates it will completely purge commit history on the device.
------------------------------
Roberto Pedrini
Original Message:
Sent: 02-24-2023 19:53
From: GAVIN WHITE
Subject: Externally managed blacklist on SRX3xx
Hi Roberto,
This is a good option and it will allow you to update devices via an ansible deployment server to multiple devices. You will need to Production devices to push the IP addresses to the ansible server and parse those entries into a YAML file for deployment.
Another option, useful if you have lots of devices and need more agile deployment, you may like to use a dynamic-address list. This will allow the SRXs to collect the address-book entries from a dedicated feed server. This will also allow for a much larger number of entries in a single address book. I have tested to at least 120,000 entries.
https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/ref/statement/dynamic-address.html
------------------------------
GAVIN WHITE
Original Message:
Sent: 02-20-2023 12:37
From: Roberto
Subject: Externally managed blacklist on SRX3xx
Hi, not sure if I'm posting to the right community, please point me in case there is a better choice.
We use SRX3xx as gateways/L3+L4 firewalls in our company. Recently managers had a bright idea: as an additional security measure we need to forbid traffic from the production environment to all external IPs except for the whitelisted ones. Production environment (e. g. PHP applications) should be able to supply new whitelisted IPs to the SRX. It is not enough to block IPs on application side, since it can't effectively block all traffic.
My questions are:
- What do you think about the idea in general? I that a legitimate use case for the security device? Are there any more suitable devices for the task?d
- I guess I can form a security→adress-book→address-set entry consisting of whitelisted addresses and then feed new address entries using ansible and/or netconf. That gives me up to 1024 entries in every address-set. Is there a better way to form the whitelist?
------------------------------
Roberto Pedrini
------------------------------