SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Externally managed blacklist on SRX3xx

    Posted 02-20-2023 13:08

    Hi, not sure if I'm posting to the right community, please point me in case there is a better choice.

    We use SRX3xx as gateways/L3+L4 firewalls in our company. Recently managers had a bright idea: as an additional security measure we need to forbid traffic from the production environment to all external IPs except for the whitelisted ones. Production environment (e. g. PHP applications) should be able to supply new whitelisted IPs to the SRX. It is not enough to block IPs on application side, since it can't effectively block all traffic.

    My questions are:

    1. What do you think about the idea in general? I that a legitimate use case for the security device? Are there any more suitable devices for the task?d
    2. I guess I can form a security→adress-book→address-set entry consisting of whitelisted addresses and then feed new address entries using ansible and/or netconf. That gives me up to 1024 entries in every address-set. Is there a better way to form the whitelist?


    ------------------------------
    Roberto Pedrini
    ------------------------------


  • 2.  RE: Externally managed blacklist on SRX3xx

    Posted 02-24-2023 19:53

    Hi Roberto, 

    This is a good option and it will allow you to update devices via an ansible deployment server to multiple devices. You will need to Production devices to push the IP addresses to the ansible server and parse those entries into a YAML file for deployment.

    Another option, useful if you have lots of devices and need more agile deployment, you may like to use a dynamic-address list. This will allow the SRXs to collect the address-book entries from a dedicated feed server.  This will also allow for a much larger number of entries in a single address book. I have tested to at least 120,000 entries.
    https://www.juniper.net/documentation/us/en/software/junos/logical-system-security/topics/ref/statement/dynamic-address.html



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 3.  RE: Externally managed blacklist on SRX3xx

    Posted 03-10-2023 15:15

    Thanks for reply. So, each dynamic-address list update will be a separate configuration commit, right? I mean after 50 updates it will completely purge commit history on the device.



    ------------------------------
    Roberto Pedrini
    ------------------------------



  • 4.  RE: Externally managed blacklist on SRX3xx

    Posted 03-10-2023 21:06

    Hi Roberto, 

    The Dynamic address lists are updated internally by a process on the SRX device, without the need for a configuration commit. you can additionally configure the hold-interval and update-interval values, to instruct the SRX on how often it should seek updates.
    There will be only one commit, which will be for the initial configuration of the dynamic-address name and feed server details.


    This issue you mention would be present in the Ansible deployment, as the Ansible Server will be updating the configuration for each update.



    ------------------------------
    GAVIN WHITE
    ------------------------------