Hi, I'm trying to set up a transparent proxy on SRX 3xx.
Client should be able to connect to the Internet knowing nothing about the proxy.
It seems like secure web proxy may help me to achieve the goal, so I'm setting it up according to the linked article. The problem is that proxy configuration seems to be completely ignored.
I'm trying to check how proxy works with the following command on the client:
wget -v https://www.google.com
On SRX I see that the traffic goes through the policy that applies web-proxy profile to the traffic - P-TO-ANY-PROXY-TEST. Except it applies nothing and goes directly to the Internet:
# run show security flow session source-prefix 10.249.110.101
Session ID: 46178, Policy name: P-TO-ANY-PROXY-TEST/200, HA State: Stand-alone, Timeout: 2, Valid
In: 10.249.110.101/46526 --> 142.250.185.196/443;tcp, Conn Tag: 0x0, If: irb.110, Pkts: 17, Bytes: 1652,
Out: 142.250.185.196/443 --> EXTERNAL-IP/1673;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 24, Bytes: 21405,
Any ideas what am I doing wrong? I'm not familiar with the NGFW functionality, and it seems secure-proxy is part of it, so maybe I'm doing something completely wrong.
My config looks like this (SNAT rules are omitted):
security {
policies {
from-zone ZONE-LAN-1 to-zone ZONE-INET {
policy P-TO-ANY-PROXY-TEST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
web-proxy {
profile-name WP-SP-PROF-PROXY;
}
}
}
}
}
}
global {
/* Global policies permitting ZONE-LAN-1<->ZONE-LAN-2 and ZONE-LAN-2->ZONE-INET traffic */
}
default-policy {
deny-all;
}
}
zones {
security-zone ZONE-INET {
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/6.0;
}
}
security-zone ZONE-LAN-1 {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
irb.110;
}
}
security-zone ZONE-LAN-2 {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
irb.120;
}
}
}
}
services {
/* Setting up no dynamic-web-application(-group) since I don't need any exclusions */
web-proxy {
secure-proxy {
profile WP-SP-PROF-PROXY {
proxy-address WP-SP-PROXY {
ip 10.249.120.10/32;
port 3128;
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ VLAN-1 VLAN-2 ];
}
}
}
}
ge-0/0/6 {
unit 0 {
family inet {
address EXTERNAL-IP/24;
}
}
}
irb {
unit 110 {
family inet {
address 10.249.110.1/24;
}
}
unit 120 {
family inet {
address 10.249.120.1/24;
}
}
}
}
vlans {
VLAN-1 {
vlan-id 110;
l3-interface irb.110;
}
VLAN-2 {
vlan-id 120;
l3-interface irb.120;
}
}
------------------------------
Roberto Pedrini
------------------------------