SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  How to make address book entries least memory consuming?

    Posted 17 days ago

    I need to filter a large amount of IP blocks in order to protect a Pulse Secure device (I know, a bit hilarious). As there will be lots of prefixes, I'm wondering which method is the best.

    Example:

    set security address-book global address AU-1.40.0.0 range-address 1.40.0.0 to 1.44.255.255
    set security address-book global address-set Country-AU address AU-1.40.0.0

    or:

    set security address-book global address AU-1.40.0.0 wildcard-address 1.40.0.0/14

    set security address-book global address AU-1.40.0.0 wildcard-address 1.44.0.0/16

    set security address-book global address-set Country-AU address AU-1.40.0.0

    set security address-book global address-set Country-AU address AU-1.44.0.0

    The former means less lines, but is it really more efficient, memory-wise? A CIDR block is normally easier and more efficient to represent in code but perhaps the number of address object will run out sooner than the memory available for address-range objects?

    I know ATP can provide country objects, but customer needs this quite rapidly and are migrating away from the Pulse device, so I figured a quickie could do the trick. I'm not aiming for a full global country list, just the major blocks in the most common countries.



  • 2.  RE: How to make address book entries least memory consuming?

    Posted 15 days ago

    Just use CIDR, but ... without the wildcard-address keyword, just set address YadaYada 1.40.0.0/14. Wildcard-address is for masks with non-contiguous bits, like wildcard-address 1.40.0.12/255.0.0.8  etc.

    Or ... you can list address in a txt file in this form:
    1.40.0.0-1.44.255.255
    2.3.0.0-2.3.255.255

    Then compress them into a gz file (<-- this is important!!! gzip the txt file into a gz file; no tarball, no zip, no anything else; it won't work if not compressed correctly), host them somewhere on a server, and define yourself a dynamic address on the firewall and use that! Check out this write up as an example: https://www.reddit.com/r/Juniper/comments/i2t97y/srx_loading_custom_dynamiciplists_from_your_own/?rdt=52046

    Then you can use all the tools and scripts you like to compose a text file with addresses.

    When I tested that feature a few years ago, I didn't have many addresses I needed to put in my use case, but since you mentioned ATP, they use feeds for those, so I imagine the firewall can handle quite a few addresses.



    ------------------------------
    Nikolay Semov
    ------------------------------