Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
Hi, not sure if I'm posting to the right community, please point me in case there is a better choice.
We use SRX3xx as gateways/L3+L4 firewalls in our company. Recently managers had a bright idea: as an additional security measure we need to forbid traffic from the production environment to all external IPs except for the whitelisted ones. Production environment (e. g. PHP applications) should be able to supply new whitelisted IPs to the SRX. It is not enough to block IPs on application side, since it can't effectively block all traffic.
My questions are:
This is a good option and it will allow you to update devices via an ansible deployment server to multiple devices. You will need to Production devices to push the IP addresses to the ansible server and parse those entries into a YAML file for deployment.
Another option, useful if you have lots of devices and need more agile deployment, you may like to use a dynamic-address list. This will allow the SRXs to collect the address-book entries from a dedicated feed server. This will also allow for a much larger number of entries in a single address book. I have tested to at least 120,000 entries.https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/ref/statement/dynamic-address.html
Thanks for reply. So, each dynamic-address list update will be a separate configuration commit, right? I mean after 50 updates it will completely purge commit history on the device.
------------------------------GAVIN WHITEOriginal Message:Sent: 02-20-2023 12:37From: RobertoSubject: Externally managed blacklist on SRX3xx
Hi Roberto, The Dynamic address lists are updated internally by a process on the SRX device, without the need for a configuration commit. you can additionally configure the hold-interval and update-interval values, to instruct the SRX on how often it should seek updates.There will be only one commit, which will be for the initial configuration of the dynamic-address name and feed server details.
This issue you mention would be present in the Ansible deployment, as the Ansible Server will be updating the configuration for each update.